关于这本电子书

About This eBook

 

ePUB 是一种开放的行业标准电子书格式。然而,ePUB 的支持及其许多功能因阅读设备和应用程序而异。使用您的设备或应用程序设置根据您的喜好自定义演示文稿。您可以自定义的设置通常包括字体、字体大小、单列或双列、横向或纵向模式以及可以单击或点击放大的图形。有关阅读设备或应用程序的设置和功能的更多信息,请访问设备制造商的网站。

ePUB is an open, industry-standard format for eBooks. However, support of ePUB and its many features varies across reading devices and applications. Use your device or app settings to customize the presentation to your liking. Settings that you can customize often include font, font size, single or double column, landscape or portrait mode, and figures that you can click or tap to enlarge. For additional information about the settings and features on your reading device or app, visit the device manufacturer’s Web site.

 

许多标题都包含编程代码或配置示例。要优化这些元素的呈现,请以单栏、横向模式查看电子书,并将字体大小调整为最小设置。除了以可重排文本格式呈现代码和配置之外,我们还提供了模仿印刷书中演示的代码图像;因此,在可回流格式可能会影响代码列表的呈现的情况下,您将看到“单击此处查看代码图像”链接。单击链接可查看打印保真度代码图像。要返回到上一个查看的页面,请单击设备或应用程序上的“后退”按钮。

Many titles include programming code or configuration examples. To optimize the presentation of these elements, view the eBook in single-column, landscape mode and adjust the font size to the smallest setting. In addition to presenting code and configurations in the reflowable text format, we have included images of the code that mimic the presentation found in the print book; therefore, where the reflowable format may compromise the presentation of the code listing, you will see a “Click here to view code image” link. Click the link to view the print-fidelity code image. To return to the previous page viewed, click the Back button on your device or app.

 

现代网络的基础

Foundations of Modern Networking

 

SDN、NFV、QoE、物联网和云

SDN, NFV, QoE, IoT, and Cloud

 

威廉·斯托林斯

William Stallings

供稿:

Florence Agboma

英国天空广播公司

With contributions by:

Florence Agboma

British Sky Broadcasting

 

Sofiene Jelassi

助理教授

突尼斯莫纳斯提尔大学

Sofiene Jelassi

Assistant Professor

University of Monastir, Tunisia

 

图像

 

800 East 96th Street, 印第安纳波利斯, 印第安纳州 46240 美国

800 East 96th Street, Indianapolis, Indiana 46240 USA

 

现代网络的基础:SDN、NFV、QoE、物联网和云

Foundations of Modern Networking: SDN, NFV, QoE, IoT, and Cloud

 

版权所有 © 2016 培生教育公司

Copyright © 2016 by Pearson Education, Inc.

 

版权所有。美国印刷。本出版物受版权保护,在进行任何禁止复制、存储在检索系统中或以任何形式或方式(电子、机械、影印、记录或类似方式)传输之前,必须获得出版商的许可。要获得使用本作品材料的许可,请向 Pearson Education, Inc., Permissions Department, 200 Old Tappan Road, Old Tappan, New Jersey 07675 提交书面请求,或者您可以将请求传真至 (201) 236-3290 。

All rights reserved. Printed in the United States of America. This publication is protected by copyright, and permission must be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any form or by any means, electronic, mechanical, photocopying, recording, or likewise. To obtain permission to use material from this work, please submit a written request to Pearson Education, Inc., Permissions Department, 200 Old Tappan Road, Old Tappan, New Jersey 07675, or you may fax your request to (201) 236-3290.

 

ISBN-13: 978-0-13-417539-3

ISBN-10: 0-13-417539-5

ISBN-13: 978-0-13-417539-3

ISBN-10: 0-13-417539-5

 

美国国会图书馆控制号:2015950673

Library of Congress Control Number: 2015950673

 

文本在美国印第安纳州克劳福兹维尔 RR Donnelley 的再生纸上印刷

首次印刷:2015 年 11 月

Text printed in the United States on recycled paper at RR Donnelley, Crawfordsville, IN

First printing: November 2015

 

副出版商

戴夫·达西默

Associate Publisher

Dave Dusthimer

 

执行主编

布雷特·巴托

Executive Editor

Brett Bartow

 

高级开发编辑

克里斯托弗·克利夫兰

Senior Development Editor

Christopher Cleveland

 

总编辑

桑德拉·施罗德

Managing Editor

Sandra Schroeder

 

项目编辑

曼迪·弗兰克

Project Editor

Mandie Frank

 

文案编辑

基思·克莱恩

Copy Editor

Keith Cline

 

索引器

出版作品

Indexer

Publishing Works

 

校对员

凯蒂·马泰卡

Proofreader

Katie Matejka

 

技术审稿人

Wendell Odom

Tim Szigeti

Technical Reviewers

Wendell Odom

Tim Szigeti

 

编辑助理

凡妮莎·埃文斯

Editorial Assistant

Vanessa Evans

 

设计师

艾伦·克莱门茨

Designer

Alan Clements

 

作曲家

玛丽·苏杜尔

Compositor

Mary Sudul

 

商标

Trademarks

 

制造商和销售商用来区分其产品的许多名称都被称为商标。如果这些名称出现在本书中,并且出版商知道商标声明,则这些名称均以首字母大写或全部大写印刷。

Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations have been printed with initial capital letters or in all capitals.

 

警告和免责声明

Warning and Disclaimer

 

作者和出版商在本书的准备过程中非常谨慎,但没有做出任何形式的明示或暗示的保证,并且对错误或遗漏不承担任何责任。对于因使用此处包含的信息或程序而产生的偶然或间接损害,我们不承担任何责任。

The author and publisher have taken care in the preparation of this book, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or programs contained herein.

 

特别销售

Special Sales

 

有关批量购买本书的信息,或特殊销售机会(可能包括电子版本;定制封面设计;以及针对您的业务、培训目标、营销重点或品牌利益的特定内容),请联系我们的公司销售部门请发送电子邮件至corpsales@pearsoned.com或 (800) 382-3419。

For information about buying this title in bulk quantities, or for special sales opportunities (which may include electronic versions; custom cover designs; and content particular to your business, training goals, marketing focus, or branding interests), please contact our corporate sales department at corpsales@pearsoned.com or (800) 382-3419.

 

对于政府销售查询,请联系governmentsales@pearsoned.com

For government sales inquiries, please contact governmentsales@pearsoned.com.

 

有关美国境外销售的问题,请联系International@pearsoned.com

For questions about sales outside the U.S., please contact international@pearsoned.com.

 

请访问我们的网站:informit.com/aw

Visit us on the Web: informit.com/aw

 

内容一览

Contents at a Glance

 

前言

Preface

 

第一部分现代网络

PART I MODERN NETWORKING

 

第 1 章 现代网络的要素

CHAPTER 1 Elements of Modern Networking

 

第 2 章 要求和技术

CHAPTER 2 Requirements and Technology

 

第二部分软件定义的网络

PART II SOFTWARE-DEFINED NETWORKS

 

第 3 章 SDN:背景和动机

CHAPTER 3 SDN: Background and Motivation

 

第 4 章 SDN 数据平面和 OpenFlow

CHAPTER 4 SDN Data Plane and OpenFlow

 

第 5 章 SDN 控制平面

CHAPTER 5 SDN Control Plane

 

第 6 章 SDN 应用平面

CHAPTER 6 SDN Application Plane

 

第三部分 虚拟化

PART III VIRTUALIZATION

 

第 7 章 网络功能虚拟化:概念和架构

CHAPTER 7 Network Functions Virtualization: Concepts and Architecture

 

第 8 章 NFV 功能

CHAPTER 8 NFV Functionality

 

第 9 章 网络虚拟化

CHAPTER 9 Network Virtualization

 

第四部分 定义和支持用户需求

PART IV DEFINING AND SUPPORTING USER NEEDS

 

第 10 章 服务质量

CHAPTER 10 Quality of Service

 

第 11 章 QoE:用户体验质量

CHAPTER 11 QoE: User Quality of Experience

 

第 12 章 QoS 和 QoE 的网络设计含义

CHAPTER 12 Network Design Implications of QoS and QoE

 

第五部分 现代网络架构:云和雾

PART V MODERN NETWORK ARCHITECTURE: CLOUDS AND FOG

 

第 13 章云计算

CHAPTER 13 Cloud Computing

 

第 14 章 物联网:组件

CHAPTER 14 The Internet of Things: Components

 

第 15 章 物联网:架构和实施

CHAPTER 15 The Internet of Things: Architecture and Implementation

 

第六部分相关主题

PART VI RELATED TOPICS

 

第 16 章 安全

CHAPTER 16 Security

 

第 17 章 新网络对 IT 职业的影响

CHAPTER 17 The Impact of the New Networking on IT Careers

 

附录 A:参考文献

Appendix A: References

 

词汇表

Glossary

 

指数

Index

 

目录

Table of Contents

 

前言

Preface

 

第一部分现代网络

PART I MODERN NETWORKING

 

第 1 章:现代网络的要素

Chapter 1: Elements of Modern Networking

 

1.1 网络生态系统

1.1 The Networking Ecosystem

 

1.2 网络架构示例

1.2 Example Network Architectures

 

全球网络架构

A Global Network Architecture

 

典型的网络层次结构

A Typical Network Hierarchy

 

1.3 以太网

1.3 Ethernet

 

以太网的应用

Applications of Ethernet

 

标准

Standards

 

以太网数据速率

Ethernet Data Rates

 

1.4 无线网络

1.4 Wi-Fi

 

Wi-Fi的应用

Applications of Wi-Fi

 

标准

Standards

 

Wi-Fi 数据速率

Wi-Fi Data Rates

 

1.5 4G/5G 蜂窝

1.5 4G/5G Cellular

 

第一代

First Generation

 

第二代

Second Generation

 

第三代

Third Generation

 

第四代

Fourth Generation

 

第五代

Fifth Generation

 

1.6 云计算

1.6 Cloud Computing

 

云计算概念

Cloud Computing Concepts

 

云计算的好处

The Benefits of Cloud Computing

 

云网络

Cloud Networking

 

云储存

Cloud Storage

 

1.7 物联网

1.7 Internet of Things

 

物联网上的事物

Things on the Internet of Things

 

进化

Evolution

 

物联网的层次

Layers of the Internet of Things

 

1.8 网络融合

1.8 Network Convergence

 

1.9 统一通信

1.9 Unified Communications

 

1.10 关键术语

1.10 Key Terms

 

1.11 参考文献

1.11 References

 

第 2 章:要求和技术

Chapter 2: Requirements and Technology

 

2.1 网络和互联网流量的类型

2.1 Types of Network and Internet Traffic

 

弹性流量

Elastic Traffic

 

缺乏弹性的交通

Inelastic Traffic

 

实时交通特征

Real-Time Traffic Characteristics

 

2.2 需求:大数据、云计算、移动流量

2.2 Demand: Big Data, Cloud Computing, and Mobile Traffic

 

大数据

Big Data

 

云计算

Cloud Computing

 

移动流量

Mobile Traffic

 

2.3 要求:QoS 和 QoE

2.3 Requirements: QoS and QoE

 

服务质量

Quality of Service

 

体验质量

Quality of Experience

 

2.4 路由

2.4 Routing

 

特征

Characteristics

 

数据包转发

Packet Forwarding

 

路由协议

Routing Protocols

 

路由器的组成部分

Elements of a Router

 

2.5 拥塞控制

2.5 Congestion Control

 

拥堵的影响

Effects of Congestion

 

拥塞控制技术

Congestion Control Techniques

 

2.6 SDN和NFV

2.6 SDN and NFV

 

软件定义网络

Software-Defined Networking

 

网络功能虚拟化

Network Functions Virtualization

 

2.7 现代网络元素

2.7 Modern Networking Elements

 

2.8 关键术语

2.8 Key Terms

 

2.9 参考文献

2.9 References

 

第二部分软件定义的网络

PART II SOFTWARE-DEFINED NETWORKS

 

第 3 章:SDN:背景和动机

Chapter 3: SDN: Background and Motivation

 

3.1 不断发展的网络需求

3.1 Evolving Network Requirements

 

需求不断增加

Demand Is Increasing

 

供应正在增加

Supply Is Increasing

 

流量模式更加复杂

Traffic Patterns Are More Complex

 

传统网络架构不够用

Traditional Network Architectures are Inadequate

 

3.2 SDN 方法

3.2 The SDN Approach

 

要求

Requirements

 

SDN架构

SDN Architecture

 

软件定义网络的特点

Characteristics of Software-Defined Networking

 

3.3 SDN和NFV相关标准

3.3 SDN- and NFV-Related Standards

 

标准制定组织

Standards-Developing Organizations

 

行业联盟

Industry Consortia

 

开放发展计划

Open Development Initiatives

 

3.4 关键术语

3.4 Key Terms

 

3.5 参考文献

3.5 References

 

第 4 章:SDN 数据平面和 OpenFlow

Chapter 4: SDN Data Plane and OpenFlow

 

4.1 SDN数据平面

4.1 SDN Data Plane

 

数据平面功能

Data Plane Functions

 

数据平面协议

Data Plane Protocols

 

4.2 OpenFlow逻辑网络设备

4.2 OpenFlow Logical Network Device

 

流表结构

Flow Table Structure

 

流表管道

Flow Table Pipeline

 

多表的使用

The Use of Multiple Tables

 

小组表

Group Table

 

4.3 开放流协议

4.3 OpenFlow Protocol

 

4.4 关键术语

4.4 Key Terms

 

第 5 章:SDN 控制平面

Chapter 5: SDN Control Plane

 

5.1 SDN控制平面架构

5.1 SDN Control Plane Architecture

 

控制平面功能

Control Plane Functions

 

南向接口

Southbound Interface

 

北向接口

Northbound Interface

 

路由

Routing

 

5.2 ITU-T模型

5.2 ITU-T Model

 

5.3 开放日光

5.3 OpenDaylight

 

开放日光架构

OpenDaylight Architecture

 

开放日光氦气

OpenDaylight Helium

 

5.4 休息

5.4 REST

 

休息约束

REST Constraints

 

REST API 示例

Example REST API

 

5.5 控制者之间的合作与协调

5.5 Cooperation and Coordination Among Controllers

 

集中式控制器与分布式控制器

Centralized Versus Distributed Controllers

 

高可用集群

High-Availability Clusters

 

联合SDN网络

Federated SDN Networks

 

边界网关协议

Border Gateway Protocol

 

域之间的路由和 QoS

Routing and QoS Between Domains

 

使用 BGP 进行 QoS 管理

Using BGP for QoS Management

 

IETF SDNi

IETF SDNi

 

开放日光 SNDi

OpenDaylight SNDi

 

5.6 关键术语

5.6 Key Terms

 

5.7 参考文献

5.7 References

 

第6章:SDN应用平面

Chapter 6: SDN Application Plane

 

6.1 SDN应用面架构

6.1 SDN Application Plane Architecture

 

北向接口

Northbound Interface

 

网络服务抽象层

Network Services Abstraction Layer

 

网络应用

Network Applications

 

用户界面

User Interface

 

6.2 网络服务抽象层

6.2 Network Services Abstraction Layer

 

SDN 中的抽象

Abstractions in SDN

 

狂热的

Frenetic

 

6.3 交通工程

6.3 Traffic Engineering

 

政策警察

PolicyCop

 

6.4 测量和监控

6.4 Measurement and Monitoring

 

6.5 安全

6.5 Security

 

OpenDaylight DDoS 应用程序

OpenDaylight DDoS Application

 

6.6 数据中心网络

6.6 Data Center Networking

 

基于SDN的大数据

Big Data over SDN

 

基于 SDN 的云网络

Cloud Networking over SDN

 

6.7 移动性和无线

6.7 Mobility and Wireless

 

6.8 以信息为中心的网络

6.8 Information-Centric Networking

 

CCNx

CCNx

 

抽象层的使用

Use of an Abstraction Layer

 

6.9 关键术语

6.9 Key Terms

 

第三部分 虚拟化

PART III VIRTUALIZATION

 

第 7 章:网络功能虚拟化:概念和架构

Chapter 7: Network Functions Virtualization: Concepts and Architecture

 

7.1 NFV 的背景和动机

7.1 Background and Motivation for NFV

 

7.2 虚拟机

7.2 Virtual Machines

 

虚拟机监视器

The Virtual Machine Monitor

 

架构方法

Architectural Approaches

 

容器虚拟化

Container Virtualization

 

7.3 NFV概念

7.3 NFV Concepts

 

NFV 使用的简单示例

Simple Example of the Use of NFV

 

NFV原则

NFV Principles

 

高级 NFV 框架

High-Level NFV Framework

 

7.4 NFV 的优势和要求

7.4 NFV Benefits and Requirements

 

NFV 的好处

NFV Benefits

 

NFV 要求

NFV Requirements

 

7.5 NFV参考架构

7.5 NFV Reference Architecture

 

NFV 管理和编排

NFV Management and Orchestration

 

参考点

Reference Points

 

执行

Implementation

 

7.6 关键术语

7.6 Key Terms

 

7.7 参考文献

7.7 References

 

第 8 章:NFV 功能

Chapter 8: NFV Functionality

 

8.1 NFV基础设施

8.1 NFV Infrastructure

 

容器接口

Container Interface

 

NFVI容器的部署

Deployment of NFVI Containers

 

NFVI域的逻辑结构

Logical Structure of NFVI Domains

 

计算域

Compute Domain

 

管理程序域

Hypervisor Domain

 

基础设施网络域

Infrastructure Network Domain

 

8.2 虚拟化网络功能

8.2 Virtualized Network Functions

 

VNF接口

VNF Interfaces

 

VNFC 到 VNFC 通信

VNFC to VNFC Communication

 

VNF 扩展

VNF Scaling

 

8.3 NFV管理和编排

8.3 NFV Management and Orchestration

 

虚拟化基础设施管理器

Virtualized Infrastructure Manager

 

虚拟网络功能管理器

Virtual Network Function Manager

 

NFV 协调器

NFV Orchestrator

 

存储库

Repositories

 

元素管理

Element Management

 

开放源码软件/BSS

OSS/BSS

 

8.4 NFV 用例

8.4 NFV Use Cases

 

建筑用例

Architectural Use Cases

 

面向服务的用例

Service-Oriented Use Cases

 

8.5 SDN和NFV

8.5 SDN and NFV

 

8.6 关键术语

8.6 Key Terms

 

8.7 参考文献

8.7 References

 

第 9 章:网络虚拟化

Chapter 9: Network Virtualization

 

9.1 虚拟局域网

9.1 Virtual LANs

 

虚拟 LAN 的使用

The Use of Virtual LANs

 

定义 VLAN

Defining VLANs

 

通信 VLAN 成员资格

Communicating VLAN Membership

 

IEEE 802.1Q VLAN 标准

IEEE 802.1Q VLAN Standard

 

嵌套 VLAN

Nested VLANs

 

9.2 OpenFlow VLAN 支持

9.2 OpenFlow VLAN Support

 

9.3 虚拟专用网络

9.3 Virtual Private Networks

 

IPsec VPN

IPsec VPNs

 

MPLS VPN

MPLS VPNs

 

9.4 网络虚拟化

9.4 Network Virtualization

 

一个简化的例子

A Simplified Example

 

网络虚拟化架构

Network Virtualization Architecture

 

网络虚拟化的好处

Benefits of Network Virtualization

 

9.5 OpenDaylight 的虚拟租户网络

9.5 OpenDaylight’s Virtual Tenant Network

 

9.6 软件定义基础设施

9.6 Software-Defined Infrastructure

 

软件定义存储

Software-Defined Storage

 

SDI架构

SDI Architecture

 

9.7 关键术语

9.7 Key Terms

 

9.8 参考文献

9.8 References

 

第四部分 定义和支持用户需求

PART IV DEFINING AND SUPPORTING USER NEEDS

 

第 10 章:服务质量

Chapter 10: Quality of Service

 

10.1 背景

10.1 Background

 

10.2 QoS架构框架

10.2 QoS Architectural Framework

 

数据平面

Data Plane

 

控制平面

Control Plane

 

管理平面

Management Plane

 

10.3 综合服务架构

10.3 Integrated Services Architecture

 

指令集方法

ISA Approach

 

指令集组件

ISA Components

 

ISA 服务

ISA Services

 

排队纪律

Queuing Discipline

 

10.4 差异化服务

10.4 Differentiated Services

 

服务

Services

 

区分服务字段

DiffServ Field

 

DiffServ配置和操作

DiffServ Configuration and Operation

 

每跳行为

Per-Hop Behavior

 

默认转发PHB

Default Forwarding PHB

 

10.5 服务水平协议

10.5 Service Level Agreements

 

10.6 IP性能指标

10.6 IP Performance Metrics

 

10.7 OpenFlow QoS 支持

10.7 OpenFlow QoS Support

 

队列结构

Queue Structures

 

Meters

 

10.8 关键术语

10.8 Key Terms

 

10.9 参考文献

10.9 References

 

第 11 章:QoE:用户体验质量

Chapter 11: QoE: User Quality of Experience

 

11.1 为什么选择体验质量?

11.1 Why QoE?

 

在线视频内容交付

Online Video Content Delivery

 

11.2 QoE考虑不足导致业务失败

11.2 Service Failures Due to Inadequate QoE Considerations

 

11.3 QoE 相关标准化项目

11.3 QoE-Related Standardization Projects

 

11.4 体验质量的定义

11.4 Definition of Quality of Experience

 

质量的定义

Definition of Quality

 

经验的定义

Definition of Experience

 

质量形成过程

Quality Formation Process

 

体验质量的定义

Definition of Quality of Experience

 

11.5 实践中的 QoE 策略

11.5 QoE Strategies in Practice

 

QoE/QoS 分层模型

The QoE/QoS Layered Model

 

总结和合并 QoE/QoS 层

Summarizing and Merging the QoE/QoS Layers

 

11.6 影响QoE的因素

11.6 Factors Influencing QoE

 

11.7 QoE 测量

11.7 Measurements of QoE

 

主观评估

Subjective Assessment

 

客观评估

Objective Assessment

 

最终用户设备分析

End-User Device Analytics

 

QoE测量方法总结

Summarizing the QoE Measurement Methods

 

11.8 QoE的应用

11.8 Applications of QoE

 

11.9 关键术语

11.9 Key Terms

 

11.10 参考文献

11.10 References

 

第 12 章:QoS 和 QoE 的网络设计含义

Chapter 12: Network Design Implications of QoS and QoE

 

12.1 QoE/QoS映射模型分类

12.1 Classification of QoE/QoS Mapping Models

 

基于黑盒媒体的 QoS/QoE 映射模型

Black-Box Media-Based QoS/QoE Mapping Models

 

基于 Glass-Box 参数的 QoS/QoE 映射模型

Glass-Box Parameter-Based QoS/QoE Mapping Models

 

灰盒 QoS/QoE 映射模型

Gray-Box QoS/QoE Mapping Models

 

QoS/QoE 映射模型选择的技巧

Tips for QoS/QoE Mapping Model Selection

 

12.2 面向IP的基于参数的QoS/QoE映射模型

12.2 IP-Oriented Parameter-Based QoS/QoE Mapping Models

 

视频服务的网络层 QoE/QoS 映射模型

Network Layer QoE/QoS Mapping Models for Video Services

 

视频服务的应用层 QoE/QoS 映射模型

Application Layer QoE/QoS Mapping Models for Video Services

 

12.3 基于 IP 的网络上可行的 QoE

12.3 Actionable QoE over IP-Based Networks

 

面向系统、可操作的 QoE 解决方案

The System-Oriented Actionable QoE Solution

 

面向服务、可操作的 QoE 解决方案

The Service-Oriented Actionable QoE Solution

 

12.4 QoE 与 QoS 服务监控

12.4 QoE Versus QoS Service Monitoring

 

服务质量监控解决方案

QoS Monitoring Solutions

 

QoE 监控解决方案

QoE Monitoring Solutions

 

12.5 基于 QoE 的网络和服务管理

12.5 QoE-Based Network and Service Management

 

基于 QoE 的 VoIP 呼叫管理

QoE-Based Management of VoIP Calls

 

基于 QoE 以主机为中心的垂直切换

QoE-Based Host-Centric Vertical Handover

 

基于QoE的以网络为中心的垂直切换

QoE-Based Network-Centric Vertical Handover

 

12.6 关键术语

12.6 Key Terms

 

12.7 参考文献

12.7 References

 

第五部分 现代网络架构:云和雾

PART V MODERN NETWORK ARCHITECTURE: CLOUDS AND FOG

 

第 13 章:云计算

Chapter 13: Cloud Computing

 

13.1 基本概念

13.1 Basic Concepts

 

13.2 云服务

13.2 Cloud Services

 

软件作为服务

Software as a Service

 

平台即服务

Platform as a Service

 

基础设施即服务

Infrastructure as a Service

 

其他云服务

Other Cloud Services

 

XaaS

XaaS

 

13.3 云部署模型

13.3 Cloud Deployment Models

 

公有云

Public Cloud

 

私有云

Private Cloud

 

社区云

Community Cloud

 

混合云

Hybrid Cloud

 

13.4 云架构

13.4 Cloud Architecture

 

NIST 云计算参考架构

NIST Cloud Computing Reference Architecture

 

ITU-T 云计算参考架构

ITU-T Cloud Computing Reference Architecture

 

13.5 SDN和NFV

13.5 SDN and NFV

 

服务提供商的角度

Service Provider Perspective

 

私有云视角

Private Cloud Perspective

 

ITU-T 云计算功能参考架构

ITU-T Cloud Computing Functional Reference Architecture

 

13.6 关键术语

13.6 Key Terms

 

第 14 章:物联网:组件

Chapter 14: The Internet of Things: Components

 

14.1 物联网时代开始

14.1 The IoT Era Begins

 

14.2 物联网的范围

14.2 The Scope of the Internet of Things

 

14.3 物联网的组成部分

14.3 Components of IoT-Enabled Things

 

传感器

Sensors

 

执行器

Actuators

 

微控制器

Microcontrollers

 

收发器

Transceivers

 

射频识别

RFID

 

14.4 关键术语

14.4 Key Terms

 

14.5 参考文献

14.5 References

 

第 15 章:物联网:架构和实现

Chapter 15: The Internet of Things: Architecture and Implementation

 

15.1 物联网架构

15.1 IoT Architecture

 

ITU-T 物联网参考模型

ITU-T IoT Reference Model

 

物联网世界论坛参考模型

IoT World Forum Reference Model

 

15.2 物联网实施

15.2 IoT Implementation

 

物联网能力

IoTivity

 

思科物联网系统

Cisco IoT System

 

io桥

ioBridge

 

15.3 关键术语

15.3 Key Terms

 

15.4 参考文献

15.4 References

 

第六部分相关主题

PART VI RELATED TOPICS

 

第16章:安全

Chapter 16: Security

 

16.1 安全要求

16.1 Security Requirements

 

16.2SDN安全

16.2 SDN Security

 

SDN 的威胁

Threats to SDN

 

软件定义的安全

Software-Defined Security

 

16.3 NFV安全

16.3 NFV Security

 

攻击面

Attack Surfaces

 

ETSI 安全视角

ETSI Security Perspective

 

安全技术

Security Techniques

 

16.4 云安全

16.4 Cloud Security

 

安全问题和担忧

Security Issues and Concerns

 

云安全风险及对策

Cloud Security Risks and Countermeasures

 

云中的数据保护

Data Protection in the Cloud

 

云安全即服务

Cloud Security as a Service

 

解决云计算机安全问题

Addressing Cloud Computer Security Concerns

 

16.5 物联网安全

16.5 IoT Security

 

修补漏洞

The Patching Vulnerability

 

ITU-T 定义的物联网安全和隐私要求

IoT Security and Privacy Requirements Defined by ITU-T

 

物联网安全框架

An IoT Security Framework

 

结论

Conclusion

 

16.6 关键术语

16.6 Key Terms

 

16.7 参考文献

16.7 References

 

第 17 章:新网络对 IT 职业的影响

Chapter 17: The Impact of the New Networking on IT Careers

 

17.1 网络专业人员角色的变化

17.1 The Changing Role of Network Professionals

 

职责变化

Changing Responsibilities

 

对职位的影响

Impact on Job Positions

 

底线

Bottom Line

 

17.2 开发运营

17.2 DevOps

 

开发运营基础知识

DevOps Fundamentals

 

对 DevOps 的需求

The Demand for DevOps

 

网络 DevOps

DevOps for Networking

 

DevOps 网络产品

DevOps Network Offerings

 

思科开发网

Cisco DevNet

 

关于 DevOps 现状的结论

Conclusion on the Current State of DevOps

 

17.3 培训和认证

17.3 Training and Certification

 

认证计划

Certification Programs

 

IT技能

IT Skills

 

17.4 在线资源

17.4 Online Resources

 

17.5 参考文献

17.5 References

 

附录 A:参考文献

Appendix A: References

 

词汇表

Glossary

 

指数

Index

 

关于作者

About the Author

 
图像

William Stallings 博士在理解计算机安全、计算机网络和计算机体系结构领域的广泛技术发展方面做出了独特的贡献。他撰写了 18 本教科书,加上修订版,总共有 70 本书涉及这些主题的各个方面。他的著作曾出现在众多 ACM 和 IEEE 出版物中,包括《Proceedings of the IEEE》《ACM 计算评论》。他曾13次获得文本和学术作者协会颁发的年度最佳计算机科学教材奖。

Dr. William Stallings has made a unique contribution to understanding the broad sweep of technical developments in computer security, computer networking, and computer architecture. He has authored 18 textbooks, and, counting revised editions, a total of 70 books on various aspects of these subjects. His writings have appeared in numerous ACM and IEEE publications, including the Proceedings of the IEEE and ACM Computing Reviews. He has 13 times received the award for the best computer science textbook of the year from the Text and Academic Authors Association.

 

在该领域的 30 多年里,他曾担任过技术贡献者、技术经理以及多家高科技公司的高管。他在各种计算机和操作系统(从微型计算机到大型机)上设计并实现了基于 TCP/IP 和基于 OSI 的协议套件。目前,他是一名独立顾问,其客户包括计算机和网络制造商和客户、软件开发公司以及领先的政府研究机构。

In over 30 years in the field, he has been a technical contributor, technical manager, and an executive with several high-technology firms. He has designed and implemented both TCP/IP-based and OSI-based protocol suites on a variety of computers and operating systems, ranging from microcomputers to mainframes. Currently, he is an independent consultant whose clients have included computer and networking manufacturers and customers, software development firms, and leading-edge government research institutions.

 

他创建并维护了计算机科学学生资源网站ComputerScienceStudent.com/。该网站提供计算机科学学生(和专业人士)普遍感兴趣的各种主题的文档和链接。他是Cryptologia的编辑委员会成员,这是一份致力于密码学各个方面的学术期刊。

He created and maintains the Computer Science Student Resource Site at ComputerScienceStudent.com/. This site provides documents and links on a variety of subjects of general interest to computer science students (and professionals). He is a member of the editorial board of Cryptologia, a scholarly journal devoted to all aspects of cryptology.

 

Stallings 博士拥有博士学位。他拥有麻省理工学院计算机科学学士学位和圣母大学电气工程学士学位。

Dr. Stallings holds a Ph.D. from M.I.T. in Computer Science and a B.S. from Notre Dame in electrical engineering.

 

关于撰稿人

About the Contributing Authors

 
图像

Florence Agboma目前在伦敦英国天空广播公司 (BSkyB) 担任技术分析师。她的工作包括改进线性 OTT、VoD 和广播等不同视频平台的流媒体视频质量。她是视频质量专家组 (VQEG) 的成员。Agboma 博士拥有博士学位。来自英国埃塞克斯大学,她的研究重点是移动内容交付系统的体验质量。

Florence Agboma currently works as a Technology Analyst at British Sky Broadcasting (BSkyB), London. Her work includes streaming video quality improvements for different video platforms such as linear OTT, VoD, and broadcast. She is a member of the Video Quality Experts Group (VQEG). Dr. Agboma holds a Ph.D. from the University of Essex, United Kingdom, and her research focused on quality of experience for mobile content delivery systems.

 

阿格博马博士在期刊论文、书籍章节和国际会议论文集上发表了许多经过同行评审的文章。她的兴趣包括视频质量评估、心理物理学方法、付费电视分析、体验质量管理以及高动态范围和超高清等新兴广播电视技术。

Dr. Agboma has published a number of peer-reviewed articles in journal papers, book chapters, and international conference proceedings. Her interests include video quality assessments, psychophysical methods, pay TV analytics, quality of experience management, and emerging broadcast TV technologies such as high dynamic range and ultra HD.

 
图像

Sofiene Jelassi分别于 2003 年 6 月和 2005 年 12 月获得突尼斯莫纳斯提尔大学理学学士学位和理学硕士学位。他获得了博士学位。2010 年 2 月,获得法国巴黎皮埃尔和玛丽居里大学计算机科学博士学位。他的博士论文题为移动自组织网络上分组语音对话的自适应质量控制。2010年6月至2013年12月,他在Inria DIONYSOS研究组担任研发工程师。2014年1月至12月在巴西里约热内卢GTA/UFRJ从事博士后研究。自2015年1月起,他一直在突尼斯莫纳斯提尔大学担任助理教授。他的研究包括有线和无线软件定义网络(SDN)、服务器和网络虚拟化、网络监控、移动网络和服务的内容导向管理、移动虚拟网络运营商(MVNO)、定制语音和视频系统、用户体验质量(QoE) 测量和建模、实验室和现场可用性测试、众包、用户分析、情境感知、服务游戏化和社会驱动的紧急服务。博士。

Sofiene Jelassi received a Bachelor of Science and a Master of Science from the University of Monastir, Tunisia, in June 2003 and December 2005, respectively. He obtained a Ph.D. in Computer Science from the University of Pierre and Marie Curie, Paris, France, in February 2010. His doctoral thesis was titled Adaptive Quality Control of Packetized Voice Conversations over Mobile Ad-Hoc Networks. From June 2010 to December 2013, he worked as an R&D engineer at Inria within DIONYSOS research group. From January to December 2014, he worked as a post-doctoral fellow at GTA/UFRJ in Rio de Janeiro, Brazil. Since January 2015, he has been working as Assistant Professor at University of Monastir, Tunisia. His research includes wired and wireless software-defined networks (SDNs), server and network virtualization, network monitoring, content-oriented management of mobile networks and services, mobile virtual network operators (MVNO), customized voice and video systems, quality of user experience (QoE) measurement and modeling, in-lab and in-field usability testing, crowdsourcing, user profiling, context sensing, service gamification, and social-driven emergency services. Dr. Jelassi has more than 20 papers published in international journals and conferences.

 

奉献精神

Dedication

 

致特里西娅,我亲爱的妻子,最善良、最温柔的人。

To Tricia, my loving wife, the kindest and gentlest person.

 

致谢

Acknowledgments

 

本书受益于许多人慷慨地投入时间和专业知识的审阅。我特别感谢 Wendell Odom(Certskills, LLC)和 Tim Szigeti(Cisco Systems),他们每个人都投入了大量的时间来详细审阅整个手稿。

This book has benefited from review by a number of people who gave generously of their time and expertise. I especially thank Wendell Odom (Certskills, LLC) and Tim Szigeti (Cisco Systems), who each devoted an enormous amount of time to a detailed review of the entire manuscript.

 

还要感谢许多人提供了一个或多个章节的详细技术评论:Christian Adell (Corporació Catalana de Mitjans Audiovideos)、Eduard Dulharu (AT&T 德国)、Cemal Duman (Ericsson)、David L. Foote (NFV Forum (ATIS) )、Harold Fritts、Scott Hogg(全球技术资源)、Justin Kang(埃森哲)、Sergey Katsev(Fortinet)、Raymond Kelly(Telecoms Now Ltd)、Faisal Khan(Mobily 沙特阿拉伯)、Epameindas Kontothanasis(Unifys)、Sashi Kumar(英特尔)、李宏伟 (惠普)、Cynthia Lopes (Maya Technologies)、Simone Mangiante (EMC)、Roberto Fuentes Martinez (Tecnocom)、Mali Naghavi (爱立信)、Fatih Eyup Nar (爱立信美国)、Jimmy Ng (华为技术有限公司) )、Mark Noble (Salix Technology Services)、Luke Reid (Sytel Reply UK)、David Schuckman (State Farm Insurance)、Vivek Srivastava (Zscaler)、Istvan Teglas(思科系统公司)和 Paul Zanna(Northbound Networks)。

Thanks also to the many people who provided detailed technical reviews of one or more chapters: Christian Adell (Corporació Catalana de Mitjans Audiovisuals), Eduard Dulharu (AT&T Germany), Cemal Duman (Ericsson), David L. Foote (NFV Forum (ATIS)), Harold Fritts, Scott Hogg (Global Technology Resources), Justin Kang (Accenture), Sergey Katsev (Fortinet), Raymond Kelly (Telecoms Now Ltd), Faisal Khan (Mobily Saudi Arabia), Epameinondas Kontothanasis (Unifys), Sashi Kumar (Intel), Hongwei Li (Hewlett-Packard), Cynthia Lopes (Maya Technologies), Simone Mangiante (EMC), Roberto Fuentes Martinez (Tecnocom), Mali Naghavi (Ericsson), Fatih Eyup Nar (Ericsson USA), Jimmy Ng (Huawei Technologies), Mark Noble (Salix Technology Services), Luke Reid (Sytel Reply UK), David Schuckman (State Farm Insurance), Vivek Srivastava (Zscaler), Istvan Teglas (Cisco Systems), and Paul Zanna (Northbound Networks).

 

最后,我要感谢培生集团负责本书出版的许多人。这包括培生集团的员工,特别是高级开发编辑 Chris Cleveland;执行主编布雷特·巴托(Brett Bartow)和他的助理凡妮莎·埃文斯(Vanessa Evans);和项目编辑曼迪·弗兰克。还要感谢 Pearson 的营销和销售人员,没有他们的努力,这本书就不会出现在您的面前。

Finally, I want to thank the many people at Pearson responsible for the publication of the book. This includes the staff at Pearson, particularly Senior Development Editor Chris Cleveland; Executive Editor Brett Bartow, and his assistant Vanessa Evans; and Project Editor Mandie Frank. Thanks also to the marketing and sales staffs at Pearson, without whose efforts this book would not be in front of you.

 

有了所有这些帮助,我几乎没有什么可以完全归功于的了。然而,我很自豪地说,在没有任何帮助的情况下,我选择了所有引文。

With all this assistance, little remains for which I can take full credit. However, I am proud to say that, with no help whatsoever, I selected all the quotations.

 

前言

Preface

 

有书,督察。我把它留给你,你不能怀疑它包含了完整的解释。

There is the book, Inspector. I leave it with you, and you cannot doubt that it contains a full explanation.

 

—— 《狮鬃毛历险记》,阿瑟·柯南·道尔爵士

The Adventure of the Lion’s Mane, Sir Arthur Conan Doyle

 

背景

Background

 

许多因素汇聚在一起,引发了计算机和通信网络的最新革命:

A host of factors have converged to produce the latest revolution in computer and communications networking:

 

图像 需求:企业面临着大量的需求,这些需求将注意力集中在设计、评估、管理和维护复杂的网络基础设施上。这些趋势包括以下内容:

Demand: Enterprises are faced with a surge of demands that focus their attention on the need to design, evaluate, manage, and maintain sophisticated network infrastructures. These trends include the following:

 

图像 大数据:大大小小的企业越来越依赖于处理和分析大量数据。为了在可容忍的时间内处理大量数据,大数据可能需要分布式文件系统、分布式数据库、云计算平台、互联网存储和其他可扩展的存储技术。

Big data: Enterprises large and small increasingly rely on processing and analyzing massive amounts of data. To process large quantities of data within tolerable time periods, big data may need distributed file systems, distributed databases, cloud computing platforms, Internet storage, and other scalable storage technologies.

 

图像 云计算:许多组织有一个日益突出的趋势,即将大部分甚至全部信息技术 (IT) 运营转移到与互联网连接的基础设施(称为企业云计算)。IT 数据处理的巨大转变伴随着网络要求的同样巨大的转变。

Cloud computing: There is an increasingly prominent trend in many organizations to move a substantial portion or even all information technology (IT) operations to an Internet-connected infrastructure known as enterprise cloud computing. This drastic shift in IT data processing is accompanied by an equally drastic shift in networking requirements.

 

图像 物联网 (IoT):物联网涉及大量使用标准通信架构为最终用户提供服务的对象。数十亿个此类设备将在工业、商业和政府网络中互连,提供物理世界与计算、数字内容、分析、应用程序和服务之间的新交互。物联网为各个领域的用户、制造商和服务提供商提供了前所未有的机遇。受益于物联网数据收集、分析和自动化功能的领域包括健康和健身、医疗保健、家庭监控和自动化、节能和智能电网、农业、运输、环境监测、库存和产品管理、安全、监控、教育、以及许多其他人。

Internet of Things (IoT): The IoT involves large numbers of objects that use standard communications architectures to provide services to end users. Billions of such devices will be interconnected in industrial, business, and government networks, providing new interactions between the physical world and computing, digital content, analysis, applications, and services. IoT provides unprecedented opportunities for users, manufacturers, and service providers in a wide variety of sectors. Areas that will benefit from IoT data collection, analysis, and automation capabilities include health and fitness, healthcare, home monitoring and automation, energy savings and smart grid, farming, transportation, environmental monitoring, inventory and product management, security, surveillance, education, and many others.

 

图像 移动设备:移动设备现在已成为每个企业 IT 基础设施不可或缺的一部分,包括雇主提供的设备和自带设备 (BYOD)。移动设备的大量使用对网络规划和管理产生了独特的新需求。

Mobile devices: Mobile devices are now an indispensable part of every enterprise IT infrastructure, including employer supplied and bring your own device (BYOD). The large population of mobile devices generates unique new demands on network planning and management.

 

图像 容量:两个相互关联的趋势对智能、高效的网络设计和管理产生了新的、紧迫的要求:

Capacity: Two interlocking trends have generated new and urgent requirements for intelligent and efficient network design and management:

 

图像 千兆位数据速率网络:以太网产品已达到 100 Gbps,并且还在进一步增加中。近 7 Gbps 的 Wi-Fi 产品现已上市。4G 和 5G 网络为蜂窝网络带来千兆速度。

Gigabit data rate networks: Ethernet offerings have reached 100 Gbps with further increases in the works. Wi-Fi products at almost 7 Gbps are available. And 4G and 5G networks bring gigabit speeds to cellular networks.

 

图像 高速、大容量服务器:海量刀片服务器和其他高性能服务器不断发展,以满足企业日益增长的多媒体和数据处理需求,从而需要高效设计和管理的网络。

High-speed, high-capacity servers: Massive blade servers and other high-performance servers have evolved to meet the increasing multimedia and data processing requirements of enterprises, calling for a need for efficiently designed and managed networks.

 

图像 复杂性:网络设计人员和管理人员在复杂、动态的环境中工作,其中有一系列要求,尤其是服务质量 (QoS) 和体验质量 (QoE),需要灵活、可管理的网络硬件和服务。

Complexity: Network designers and managers operate in a complex, dynamic environment, in which a range of requirements, most especially quality of service (QoS) and quality of experience (QoE) require flexible, manageable networking hardware and services.

 

图像 安全性:随着对网络资源的依赖日益增加,对提供一系列安全服务的网络的需求也越来越大。

Security: With increasing reliance on networked resources, an increasing need emerges for networks that provide a range of security services.

 

随着针对这些因素的新网络技术的发展,系统工程师、系统分析师、IT经理、网络设计师和产品营销专家必须牢牢掌握现代网络。这些专业人士需要了解上述因素的影响以及网络设计者的反应。主导这一领域的是 (1) 两种正在快速开发和部署的互补技术(软件定义网络 [SDN] 和网络功能虚拟化 [NFV])和 (2) 满足 QoS 和 QoE 要求的需求。

With the development of new network technologies in response to these factors, it is imperative for system engineers, system analysts, IT managers, network designers, and product marketing specialists to have a firm grasp on modern networking. These professionals need to understand the implications of the factors listed above and how network designers have responded. Dominating this landscape are (1) two complementary technologies that are rapidly being developed and deployed (software-defined networking [SDN] and network functions virtualization [NFV]) and (2) the need to satisfy QoS and QoE requirements.

 

本书让读者全面了解SDN和NFV及其在当今企业中的实际部署和使用。此外,本书还对 QoS/QoE 以及云网络和物联网等一系列相关问题进行了清晰的解释。这是一本技术书籍,面向具有一定技术背景的读者,但其内容足够完善,对于系统工程师、网络维护人员以及网络和协议设计人员来说,它是 IT 经理和产品营销人员的宝贵资源。

This book provides the reader with a thorough understanding of SDN and NFV and their practical deployment and use in today’s enterprises. In addition, the book provides clear explanations of QoS/QoE and the whole range of related issues, such as cloud networking and IoT. This is a technical book, intended for readers with some technical background, but is sufficiently self-contained to be a valuable resource for IT managers and product marketing personnel, in addition to system engineers, network maintenance personnel, and network and protocol designers.

 

本书的组织

Organization of the Book

 

本书由六部分组成:

The book consists of six parts:

 

图像 现代网络:提供现代网络的概述以及本书其余部分的背景。第一章概述了构成网络生态系统的要素,包括网络技术、网络架构、服务和应用程序。第 2 章探讨了当前网络环境的发展要求,并提供了现代网络关键技术的预览。

Modern Networking: Provides an overview of modern networking and a context for the remainder of the book. Chapter 1 is a survey of the elements that make up the networking ecosystem, including network technologies, network architecture, services, and applications. Chapter 2 examines the requirements that have evolved for the current networking environment and provides a preview of key technologies for modern networking.

 

图像 软件定义网络:致力于广泛而彻底地介绍SDN概念、技术和应用。第 3 章首先阐述什么是 SDN 方法以及为什么需要它,并概述了 SDN 架构。本章还介绍了发布 SDN 规范和标准的组织。第 4 章详细介绍了 SDN 数据平面,包括关键组件、它们如何交互以及如何管理它们。本章的大部分内容专门讨论 OpenFlow,这是一种重要的数据平面技术和控制平面的接口。本章解释了为什么需要 OpenFlow,然后提供详细的技术解释。第 5 章专门介绍 SDN 控制平面。其中包括对 OpenDaylight 的讨论,OpenDaylight 是控制平面的重要开源实现。第 6 章介绍了 SDN 应用平面。除了考察一般的SDN应用平面架构之外,本章还讨论了SDN可以支持的六大应用领域,并提供了许多SDN应用示例。

Software-Defined Networks: Devoted to a broad and thorough presentation of SDN concepts, technology, and applications. Chapter 3 begins the discussion by laying out what the SDN approach is and why it is needed, and provides an overview of the SDN architecture. This chapter also looks at the organizations that are issuing specifications and standards for SDN. Chapter 4 is a detailed look at the SDN data plane, including the key components, how they interact, and how they are managed. Much of the chapter is devoted to OpenFlow, a vital data plane technology and an interface to the control plane. The chapter explains why OpenFlow is needed and then proceeds to provide a detailed technical explanation. Chapter 5 is devoted to the SDN control plane. It includes a discussion of OpenDaylight, an important open source implementation of the control plane. Chapter 6 covers the SDN application plane. In addition to examining the general SDN application plane architecture, the chapter discusses six major application areas that can be supported by SDN and provides a number of examples of SDN applications.

 

图像 虚拟化:致力于广泛、彻底地介绍网络功能虚拟化 (NFV) 概念、技术和应用,并对网络虚拟化进行讨论。第7章介绍了虚拟机的概念,然后探讨了如何使用虚拟机技术来开发基于NFV的网络环境。第 8 章详细讨论了 NFV 功能。第9章介绍了虚拟网络的传统概念,然后介绍了更现代的网络虚拟化方法,最后介绍了软件定义基础设施的概念。

Virtualization: Devoted to a broad and thorough presentation of network functions virtualization (NFV) concepts, technology, and applications, as well as a discussion of network virtualization. Chapter 7 introduces the concept of virtual machine, and then looks at the use of virtual machine technology to develop NFV-based networking environments. Chapter 8 provides a detailed discussion of NFV functionality. Chapter 9 looks at traditional concepts of virtual networks, then at the more modern approach to network virtualization, and finally introduces the concept of software defined infrastructure.

 

图像 定义和支持用户需求:与 SDN 和 NFV 的出现同样重要的是服务质量 (QoS) 和体验质量 (QoE) 的演变,以确定客户需求和网络设计对这些需求的响应。第 10 章概述了 QoS 概念和标准。最近,QoS 已通过 QoE 概念得到增强,这与交互式视频和多媒体网络流量尤其相关。第 11 章概述了 QoE,并讨论了实施 QoE 机制的许多实际问题。第12章进一步探讨了结合使用QoS和QoE对网络设计的影响。

Defining and Supporting User Needs: Equally as significant as the emergence of the SDN and NFV is the evolution of quality of service (QoS) and quality of experience (QoE) to determine customer needs and network design responses to those needs. Chapter 10 provides an overview of QoS concepts and standards. Recently QoS has been augmented with the concept of QoE, which is particularly relevant to interactive video and multimedia network traffic. Chapter 11 provides an overview of QoE and discusses a number of practical aspects of implementing QoE mechanisms. Chapter 12 looks further into the network design implications of the combined use of QoS and QoE.

 

图像 现代网络架构:云和雾:两种主要的现代网络架构是云计算和物联网(IoT),有时称为雾计算。前面讨论的技术和应用都为云计算和物联网提供了基础。第13章是对云计算的概述。本章首先定义基本概念,然后介绍云服务、部署模型和架构。本章随后讨论了云计算与SDN和NFV之间的关系。第 14 章介绍了物联网,并详细介绍了支持物联网的设备的关键组件。第15章研究了几种模型 IoT 架构,然后描述了三个 IoT 实现示例。

Modern Network Architecture: Clouds and Fog: The two dominant modern network architectures are cloud computing and the Internet of things (IoT), sometimes referred to as fog computing. The technologies and applications discussed in the preceding parts all provide a foundation for cloud computing and IoT. Chapter 13 is a survey of cloud computing. The chapter begins with a definition of basic concepts, and then covers cloud services, deployment models, and architecture. The chapter then discusses the relationship between cloud computing and SDN and NFV. Chapter 14 introduces IoT and provides a detailed look at the key components of IoT-enabled devices. Chapter 15 looks at several model IoT architectures and then describes three example IoT implementations.

 

图像 相关主题:讨论两个附加主题,尽管这两个主题很重要,但无法方便地融入其他部分。第16章分析了随着现代网络的发展而出现的安全问题。单独的部分分别涉及 SDN、NFV、云和物联网安全。第 17 章讨论与职业相关的问题,包括各种网络相关工作的角色变化、新的技能要求,以及读者如何继续接受教育,为现代网络职业做好准备。

Related Topics: Discusses two additional topics that, although important, do not conveniently fit into the other Parts. Chapter 16 provides an analysis of security issues that have emerged with the evolution of modern networking. Separate sections deal with SDN, NFV, cloud, and IoT security, respectively. Chapter 17 discusses career-related issues, including the changing role of various network-related jobs, new skill requirements, and how the reader can continue his or her education to prepare for a career in modern networking.

 

支持网站

Supporting Websites

 

我在WilliamStallings.com/Network上维护着一个配套网站,其中包含按章节组织的相关链接列表以及本书的勘误表。

I maintain a companion website at WilliamStallings.com/Network that includes a list of relevant links organized by chapter and an errata sheet for the book.

 
图像

配套网站

Companion website

 

我还维护计算机科学学生资源网站ComputerScienceStudent.com。本网站的目的是为计算机科学专业的学生和专业人士提供文档、信息和链接。链接和文档分为七类:

I also maintain the Computer Science Student Resource Site, at ComputerScienceStudent.com. The purpose of this site is to provide documents, information, and links for computer science students and professionals. Links and documents are organized into seven categories:

 
图像

计算机科学学生资源网站

Computer Science Student Resource Site

 

图像 数学:包括基本数学复习、排队分析入门、数字系统入门以及许多数学站点的链接。

Math: Includes a basic math refresher, a queuing analysis primer, a number system primer, and links to numerous math sites.

 

图像 操作方法:解决家庭作业问题、撰写技术报告和准备技术演示的建议和指导。

How-to: Advice and guidance for solving homework problems, writing technical reports, and preparing technical presentations.

 

图像 研究资源:重要论文集、技术报告和参考书目的链接。

Research resources: Links to important collections of papers, technical reports, and bibliographies.

 

图像 其他有用:各种其他有用的文档和链接。

Other useful: A variety of other useful documents and links.

 

图像 计算机科学职业:对于那些考虑从事计算机科学职业的人来说有用的链接和文档。

Computer science careers: Useful links and documents for those considering a career in computer science.

 

图像 写作帮助:帮助成为一名更清晰、更有效的作家。

Writing help: Help in becoming a clearer, more effective writer.

 

图像 各种各样的话题和幽默:你必须时不时地把注意力从工作上移开。

Miscellaneous topics and humor: You have to take your mind off your work once in a while.

 

第一部分:现代网络

Part I: Modern Networking

 

整个行动在英国官方海军历史中有详细描述,那些对其技术方面感兴趣的人应该通过其出色的图表进行研究。整个故事如此复杂,外行读者只见树木,不见森林。我尽力使人们能够理解其广泛的影响。

The whole of this operation is described in minute detail in the official British Naval History, and should be studied with its excellent charts by those who are interested in its technical aspect. So complicated is the full story that the lay reader cannot see the wood for the trees. I have endeavored to render intelligible the broad effects.

 

—— 《世界危机》,温斯顿·丘吉尔

The World Crisis, Winston Churchill

 

第 1 章:现代网络的要素

CHAPTER 1: Elements of Modern Networking

 

第 2 章:要求和技术

CHAPTER 2: Requirements and Technology

 

第一部分概述了现代网络以及本书其余部分的背景。第一章概述了构成网络生态系统的要素,包括网络技术、网络架构、服务和应用程序。在第 2 章中,我们研究了当前网络环境的发展需求,并提供了现代网络关键技术的预览。

Part I provides an overview of modern networking and a context for the remainder of the book. Chapter 1 is a survey of the elements that make up the networking ecosystem, including network technologies, network architecture, services, and applications. In Chapter 2, we examine the requirements that have evolved for the current networking environment and provide a preview of key technologies for modern networking.

 

第 1 章现代网络的要素

Chapter 1. Elements of Modern Networking

 

有一些证据表明计算机网络将对社会产生巨大影响。可能的领域包括经济、资源、小型计算机、人与人的互动以及计算机研究。

There is some evidence that computer networks will have a large impact on society. Likely areas are the economy, resources, small computers, human-to-human interaction, and computer research.

 

什么可以自动化?

计算机科学与工程研究,国家科学基金会,1980

What Can Be Automated?

The Computer Science and Engineering Research Study, National Science Foundation, 1980

 

本章目标 学习完本章后,您应该能够

 

图像解释现代网络生态系统的关键要素及其关系,包括最终用户、网络提供商、应用程序提供商和应用程序服务提供商。

 

图像讨论接入网、分发网络和核心网络的典型网络层次结构的动机。

 

图像概述以太网,包括对其应用领域和常见数据速率的讨论。

 

图像概述 Wi-Fi,包括对其应用领域和常见数据速率的讨论。

 

图像了解五代蜂窝网络之间的差异。

 

图像概述云计算概念。

 

图像描述物联网。

 

图像解释网络融合和统一通信的概念。

 

Chapter Objectives: After studying this chapter, you should be able to

 

Explain the key elements and their relationships of a modern networking ecosystem, including end users, network providers, application providers and application service providers.

 

Discuss the motivation for the typical network hierarchy of access networks, distribution networks, and core networks.

 

Present an overview of Ethernet, including a discussion of its application areas and common data rates.

 

Present an overview of Wi-Fi, including a discussion of its application areas and common data rates.

 

Understand the differences between the five generations of cellular networks.

 

Present an overview of cloud computing concepts.

 

Describe the Internet of Things.

 

Explain the concepts of network convergence and unified communications.

 
 

单一供应商(例如 IBM)可以为企业提供其信息技术 (IT) 部门所需的所有产品和服务(包括计算机硬件、系统软件、应用软件以及通信和网络设备)的日子已经一去不复返了。服务。如今,用户和企业面临着复杂、异构和多样化的环境,需要复杂和先进的解决方案。

Long gone are the days when a single vendor, such as IBM, could provide an enterprise with all the products and services required by their information technology (IT) department, including computer hardware, system software, applications software, and communications and networking equipment and services. Today, users and enterprises face complex, heterogeneous and diverse environments that require sophisticated and advanced solutions.

 

本书的重点有两个:

The focus of this book is twofold:

 

图像支持复杂现代网络的设计、开发、部署和运营的网络技术,尤其包括软件定义网络 (SDN)、网络功能虚拟化 (NFV)、服务质量 (QoS) 和体验质量 ( QoE ) )。

The networking technologies that enable the design, development, deployment, and operation of complex modern networks, including and especially software-defined networks (SDN), network functions virtualization (NFV), quality of service (QoS), and quality of experience (QoE).

 

图像主导现代网络的网络架构是云网络和物联网 (IoT),也称为雾网络。

The network architectures that have come to dominate modern networking, which are cloud networking and the Internet of Things (IoT), also known as fog networking.

 

但在深入研究这些技术的细节之前,我们需要概述当前的网络环境及其带来的挑战。

But before diving into the details of these technologies, we need an overview of the current networking environment and the challenges it brings.

 

本章简要概述了现代网络的关键要素。我们首先对典型网络生态系统进行顶层描述。然后,1.2 节更详细地讨论了网络元素的组织方式。接下来,第 1.3 节第 1.5 节探讨了支持现代网络生态系统的关键高速网络技术。本章的其余部分介绍了属于该生态系统的重要架构和应用程序。

This chapter provides a brief survey of the key elements of modern networking. We begin with a top-level description of what might be considered the typical networking ecosystem. Then, Section 1.2 looks in more detail at the way in which the network elements are organized. Next, Sections 1.3 through 1.5 examine the key high-speed network technologies that support the modern networking ecosystem. The remainder of this chapter introduces important architectures and applications that are part of this ecosystem.

 

1.1 网络生态系统

1.1 The Networking Ecosystem

 

图 1.1非常笼统地描述了现代网络生态系统。整个生态系统的存在是为了向最终用户提供服务。术语“最终用户”或简称“用户”在此用作非常通用的术语,涵盖在企业内、公共环境或家庭中工作的用户。用户平台可以是固定的(例如,PC 或工作站)、便携式的(例如,笔记本电脑)或移动的(例如,平板电脑或智能手机)。

Figure 1.1 depicts the modern networking ecosystem in very general terms. The entire ecosystem exists to provide services to end users. The term end user, or simply user, is used here as a very general term, to encompass users working within an enterprise or in a public setting or at home. The user platform can be fixed (for example, PC or workstation), portable (for example, laptop), or mobile (for example, tablet or smartphone).

 
图像

图 1.1现代网络生态系统

FIGURE 1.1 The Modern Networking Ecosystem

 

用户通过各种网络访问设施连接到基于网络的服务和内容。其中包括数字用户线 (DSL) 和电缆调制解调器、Wi-Fi 和微波接入全球互操作性 (WiMAX) 无线调制解调器以及蜂窝调制解调器。此类网络接入设施使得用户能够直接连接到互联网或各种网络提供商,包括Wi-Fi网络、蜂窝网络以及专用和共享网络设施,例如驻地企业网络。

Users connect to network-based services and content through a wide variety of network access facilities. These include digital subscriber line (DSL) and cable modems, Wi-Fi and Worldwide Interoperability for Microwave Access (WiMAX) wireless modems, and cellular modems. Such network access facilities enable the use to connect directly to the Internet or to a variety of network providers, including Wi-Fi networks, cellular networks, and both private and shared network facilities, such as a premises enterprise network.

 

当然,最终用户希望使用网络设施来访问应用程序和内容。图 1.1显示了用户感兴趣的三大类。应用程序提供商提供在用户平台(通常是移动平台)上运行的应用程序或应用程序。最近,应用程序商店的概念也适用于固定和便携式平台。

Ultimately, of course, users want to use network facilities to access applications and content. Figure 1.1 indicates three broad categories of interest to users. Application providers provide applications, or apps, that run on the user’s platform, which is typically a mobile platform. More recently, the concept of an app store has become available for fixed and portable platforms as well.

 

应用程序服务提供商是一类独特的提供商。应用程序提供商将软件下载到用户的平台,而应用程序服务提供商则充当在提供商的平台上执行的应用程序软件的服务器或主机。此类软件的传统示例包括 Web 服务器、电子邮件服务器和数据库服务器。现在最突出的例子是云计算提供商。我们随后将在本章和第 13 章云计算”中讨论后一类。

A distinct category of provider is the application service provider. Whereas the application provider downloads software to the user’s platform, the application service provider acts as a server or host of application software that is executed on the provider’s platforms. Traditional examples of such software include web servers, e-mail servers, and database servers. The most prominent example now is the cloud computing provider. We discuss this latter category subsequently in this chapter and in Chapter 13, “Cloud Computing.”

 

图 1.1中显示的最后一个元素是内容提供者。内容提供商提供要在用户设备上消费的数据(例如,电子邮件、音乐、视频)。该数据可能是商业提供的知识产权。在某些情况下,企业可以是应用程序或内容提供商。内容提供商的示例是音乐唱片公司和电影制片厂。

The final element shown in Figure 1.1 is the content provider. A content provider serves the data to be consumed on the user device (for example, e-mail, music, video). This data may be commercially provided intellectual property. In some instances, an enterprise may be an application or content provider. Examples of content providers are music record labels and movie studios.

 

图 1.1旨在提供网络生态系统的一般描述。值得指出的是,该图中未明确描述的现代网络的两个主要元素:

Figure 1.1 is intended to provide a very general depiction of the networking ecosystem. It is worth pointing out here two major elements of modern networking not explicitly depicted in this figure:

 

图像 数据中心网络:大型企业数据中心和云提供商数据中心都由大量互连的服务器组成。通常,多达 80% 的数据流量位于数据中心网络内,只有 20% 依赖外部网络到达用户。

Data center networking: Both large enterprise data centers and cloud provider data centers consist of very large numbers of interconnected servers. Typically, as much as 80 percent of the data traffic is within the data center network, and only 20 percent relies on external networks to reach users.

 

图像 物联网或雾网络:企业部署的物联网可能由数百、数千甚至数百万台设备组成。进出这些设备的大量数据流量是机器到机器,而不是用户到机器。

IoT or fog networking: An Internet of Things deployed by an enterprise may consist of hundreds, thousands, even millions of devices. The vast bulk of the data traffic to and from these devices is machine to machine, rather than user to machine.

 

这些网络环境中的每一个都会产生自己的特定要求,这些要求将随着本书的进展进行讨论。

Each of these networking environments creates its own particular requirements, which are discussed as the book progresses.

 

1.2 网络架构示例

1.2 Example Network Architectures

 

本节介绍两个示例网络架构,以及一些常用的网络术语。这些示例给出了本书所涵盖的网络架构范围的一些概念。

This section introduces two example network architectures, and with them some of the networking terminology in common use. These examples give some idea of the range of network architectures covered in this book.

 

全球网络架构

A Global Network Architecture

 

我们从一个架构开始,该架构可以代表国家或全球范围的企业网络,或者互联网的一部分及其一些相关网络。图 1.2说明了在这种情况下使用的一些典型通信和网络元素。

We begin with an architecture that could represent an enterprise network of national or global extent, or a portion of the Internet with some of its associated networks. Figure 1.2 illustrates some of the typical communications and network elements in use in such a context.

 
图像

图 1.2全球网​​络架构

FIGURE 1.2 A Global Networking Architecture

 

该图的中心是 IP 主干网或核心网络,它可以代表互联网或企业 IP 网络的一部分。通常,主干网由高性能路由器(称为核心路由器)组成,与大容量光链路互连。光链路通常利用所谓的波分复用(WDM),使得每个链路具有多个占用光带宽的不同部分的逻辑通道。

At the center of the figure is an IP backbone, or core, network, which could represent a portion of the Internet or an enterprise IP network. Typically, the backbone consists of high-performance routers, called core routers, interconnected with high-volume optical links. The optical links often make use of what is known as wavelength-division multiplexing (WDM), such that each link has multiple logical channels occupying different portions of the optical bandwidth.

 

IP 主干网的外围是为外部网络和用户提供连接的路由器。这些路由器有时称为边缘路由器聚合路由器。聚合路由器还用于企业网络内,将多个路由器和交换机连接到外部资源,例如 IP 主干网或高速 WAN。作为核心和汇聚路由器容量要求的指标,IEEE 以太网带宽评估组 [ XI11] 报告了一项分析,该分析预测了中国互联网骨干提供商和大型企业网络的这些要求。分析得出的结论是,到 2020 年,聚合路由器的要求将在每条光链路 200 Gbps 至 400 Gbps 的范围内,到 2020 年,核心路由器的每条光链路的要求将在 400 Gbps 至 1 Tbps 的范围内。

At the periphery of an IP backbone are routers that provide connectivity to external networks and users. These routers are sometimes referred to as edge routers or aggregation routers. Aggregation routers are also used within an enterprise network to connect a number of routers and switches, to external resources, such as an IP backbone or a high-speed WAN. As an indication of the capacity requirements for core and aggregation routers, the IEEE Ethernet Bandwidth Assessments Group [XI11] reports on an analysis that projects these requirements for Internet backbone providers and large enterprise networks in China. The analysis concludes that aggregation router requirements will be in the range of 200 Gbps to 400 Gbps per optical link by 2020, and 400 Gbps to 1 Tbps per optical link for core routers by 2020.

 

图 1.2的上半部分描述了大型企业网络的一部分。该图显示了通过专用高速 WAN 连接的网络的两个部分,其中交换机通过光链路互连。使用 IP 的 MPLS 是用于此类 WAN 的常见交换协议;广域以太网是另一种选择。企业资产通过具有防火墙功能的路由器连接到 IP 主干网或互联网并受到保护,这是实施防火墙的常见安排。

The upper part of Figure 1.2 depicts a portion of what might be a large enterprise network. The figure shows two sections of the network connected via a private high-speed WAN, with switches interconnected with optical links. MPLS using IP is a common switching protocol used for such WANs; wide-area Ethernet is another option. Enterprise assets are connected to, and protected from, an IP backbone or the Internet via routers with firewall capability, a not uncommon arrangement for implementing the firewall.

 

该图的左下角描绘了依赖以太网的中小型企业的布局。通过路由器连接到 Internet 可以通过电缆或 DSL 连接或专用高速链路。

The lower left of the figure depicts what might be a layout for a small- or medium-size business, which relies on an Ethernet LAN. Connection to the Internet through a router could be through a cable or DSL connection or a dedicated high-speed link.

 

图 1.2的下半部分还显示了通过某种订户连接连接到互联网服务提供商 (ISP) 的个人住宅用户。这种连接的常见示例是 DSL(它通过电话线提供高速链路并需要特殊的 DSL 调制解调器)和有线电视设施(需要电缆调制解调器或某种类型的无线连接)。在每种情况下,都存在有关信号编码、错误控制和用户网络内部结构的单独问题。

The lower portion of Figure 1.2 also shows an individual residential user connected to an Internet service provider (ISP) through some sort of subscriber connection. Common examples of such a connection are a DSL, which provides a high-speed link over telephone lines and requires a special DSL modem, and a cable TV facility, which requires a cable modem, or some type of wireless connection. In each case, there are separate issues concerning signal encoding, error control, and the internal structure of the subscriber network.

 

最后,智能手机和平板电脑等移动设备可以通过公共蜂窝网络连接到互联网,该网络具有与互联网的高速连接(通常是光纤连接)。

Finally, mobile devices, such as smartphones and tablets, can connect to the Internet through the public cellular network, which has a high-speed connection, typically optical, to the Internet.

 

典型的网络层次结构

A Typical Network Hierarchy

 

本节重点介绍许多企业中常见的网络体系结构,但有一些变化。如图1.3所示,企业通常将其网络设施设计为三层层次结构:接入层、分布层和核心层。

This section focuses in on a network architecture that, with some variation, is common in many enterprises. As Figure 1.3 illustrates, enterprises often design their network facilities in a three-tier hierarchy: access, distribution, and core.

 
图像

图 1.3典型的网络层次结构

FIGURE 1.3 A Typical Network Hierarchy

 

最接近最终用户的是接入网络。通常,接入网络是局域网 (LAN) 或园区网络,由 LAN 交换机(通常是以太网交换机)组成,在较大的 LAN 中,还包括在交换机之间提供连接的 IP 路由器。第 3 层交换机(未示出)也常用于 LAN 中。接入网络支持最终用户设备,例如台式机和笔记本电脑以及移动设备。接入网络还支持主要或专门为本地接入网络上的用户提供服务的本地服务器。

Closest to the end user is the access network. Typically, an access network is a local-area network (LAN) or campus-wide network that consisting of LAN switches (typically Ethernet switches) and, in larger LANs, IP routers that provide connectivity among the switches. Layer 3 switches (not shown) are also commonly used within an LAN. The access network supports end user equipment, such as desktop and laptop computers and mobile devices. The access network also supports local servers that primarily or exclusively serve the users on the local access network.

 

一个或多个接入路由器将本地资产连接到层次结构的下一个更高级别,即配电网络。该连接可以通过互联网或一些其他公共或私人通信设施进行。因此,如上一小节所述,这些接入路由器充当边缘路由器,将流量转发进和转发出接入网络。对于大型本地设施,可能有额外的接入路由器提供内部路由,但不充当边缘路由器(图 1.2中未显示)。

One or more access routers connect the local assets to the next higher level of the hierarchy, the distribution network. This connection may be via the Internet or some other public or private communications facility. Thus, as described in the preceding subsection, these access routers function as edge routers that forward traffic into and out of the access network. For a large local facility, there might be additional access routers that provide internal routing but do not function as edge routers (not shown in Figure 1.2).

 

分配网络将接入网络相互连接并与核心网络连接。分发网络中的边缘路由器连接到接入网络中的边缘路由器以提供连接。两个路由器配置为相互识别,并且通常会交换路由和连接信息,并且,通常,一些与交通相关的信息。路由器之间的这种合作称为对等互连。分发网络还用于聚合发往核心路由器的流量,从而保护核心免受高密度对等互连的影响。也就是说,分布网络的使用限制了与核心中的边缘路由器建立对等关系的路由器的数量,从而节省了内存、处理和传输能力。分发网络还可以直接连接用于多个接入网络的服务器,例如数据库服务器和网络管理服务器。

The distribution network connects access networks with each other and with the core network. An edge router in the distribution network connects to an edge router in an access network to provide connectivity. The two routers are configured to recognize each other and will generally exchange routing and connectivity information and, typically, some traffic-related information. This cooperation between routers is referred to as peering. The distribution network also serves to aggregate traffic destined for the core router, which protects the core from high-density peering. That is, the use of a distribution network limits the number of routers that establish peer relationships with edge routers in the core, saving memory, processing, and transmission capacity. A distribution network may also directly connect servers that are of use to multiple access networks, such as database servers and network management servers.

 

同样,与接入网络一样,一些分发路由器可能纯粹是内部的并且不提供边缘路由器功能。

Again, as with access networks, some of the distribution routers may be purely internal and do not provide an edge router function.

 

核心网络,也称为骨干网络,连接地理上分散的分发网络,并提供对不属于企业网络一部分的其他网络的访问。通常,核心网络将使用非常高性能的路由器、大容量传输线路和多个互连路由器以增加冗余和容量。核心网络还可以连接到高性能、大容量的服务器,例如大型数据库服务器和私有云设施。一些核心路由器可能纯粹是内部的,提供冗余和附加容量,而不充当边缘路由器。

The core network, also referred to as a backbone network, connects geographically dispersed distribution networks as well as providing access to other networks that are not part of the enterprise network. Typically, the core network will use very high performance routers, high-capacity transmission lines, and multiple interconnected routers for increased redundancy and capacity. The core network may also connect to high-performance, high-capacity servers, such as large database servers and private cloud facilities. Some of the core routers may be purely internal, providing redundancy and additional capacity without serving as edge routers.

 

分层网络架构是良好模块化设计的一个例子。通过这种设计,网络设备(路由器、交换机、网络管理服务器)的容量、特性和功能可以根据其在层次结构中的位置以及给定层次级别的要求进行优化。

A hierarchical network architecture is an example of a good modular design. With this design, the capacity, features, and functionality of network equipment (routers, switches, network management servers) can be optimized for their position in the hierarchy and the requirements at a given hierarchical level.

 

1.3 以太网

1.3 Ethernet

 

延续前两节自上而下的方法,接下来的三节重点讨论以太网、Wi-Fi 和 4G/5G 蜂窝网络的关键网络传输技术。这些技术中的每一种都已经发展到支持非常高的数据速率。这些数据速率支持企业和消费者所需的多种多媒体应用,同时对网络交换设备和网络管理设施提出了很高的要求。对这些网络技术的全面讨论超出了本书的范围。在这里,我们提供一个简短的调查。

Continuing the top-down approach of the preceding two sections, the next three sections focus on key network transmission technologies of Ethernet, Wi-Fi, and 4G/5G cellular networks. Each of these technologies has evolved to support very high data rates. These data rates support the many multimedia applications required by enterprises and consumers and, at the same time, place great demands on network switching equipment and network management facilities. A full discussion of these network technologies is beyond the scope of this book. Here, we provide a brief survey.

 

本节首先讨论以太网应用,然后讨论标准和性能。

This section begins with discussion of Ethernet applications, and then looks at standards and performance.

 

以太网的应用

Applications of Ethernet

 

以太网是主要的有线网络技术,用于家庭、办公室、数据中心、企业和广域网。随着以太网已发展到支持高达 100 Gbps 的数据速率和从几米到数十公里的距离,它已成为支持大大小小的组织中的个人计算机、工作站、服务器和海量数据存储设备的必要条件。

Ethernet is the predominant wired networking technology, used in homes, offices, data centers, enterprises, and WANs. As Ethernet has evolved to support data rates up to 100 Gbps and distances from a few meters to tens of kilometers, it has become essential for supporting personal computers, workstations, servers, and massive data storage devices in organizations large and small.

 
家庭以太网
 

以太网长期以来一直在家庭中用于创建本地计算机网络,并通过宽带调制解调器/路由器访问互联网。随着高速、低成本 Wi-Fi 在计算机、平板电脑、智能手机、调制解调器/路由器和其他设备上的可用性不断增加,家庭对以太网的依赖已经下降。然而,几乎所有家庭网络设置都包括以太网的一些使用。

Ethernet has long been used in the home to create a local network of computers with access to the Internet via a broadband modem/router. With the increasing availability of high-speed, low-cost Wi-Fi on computers, tablets, smartphones, modem/routers, and other devices, home reliance on Ethernet has declined. Nevertheless almost all home networking setups include some use of Ethernet.

 

以太网技术的两个最新扩展增强并扩大了以太网在家庭中的使用:电力线载波 (PLC)以太网供电 (PoE)。电力线调制解调器利用现有电力线,并将电力线用作通信通道,在电力信号之上传输以太网数据包。这样可以轻松地将整个家庭中支持以太网的设备纳入以太网网络。PoE 以互补方式发挥作用,通过以太网数据电缆分配电力。PoE利用现有的以太网电缆为网络上的设备分配电力,从而简化了计算机和电视等设备的布线。

Two recent extensions of Ethernet technology have enhanced and broadened the use of Ethernet in the home: powerline carrier (PLC) and Power over Ethernet (PoE). Powerline modems take advantage of existing power lines and use the power wire as a communication channel to transmit Ethernet packets on top of the power signal. This makes it easy to include Ethernet-capable devices throughout the home into the Ethernet network. PoE acts in a complementary fashion, distributing power over the Ethernet data cable. PoE uses the existing Ethernet cables to distribute power to devices on the network, thus simplifying the wiring for devices such as computers and televisions.

 

有了所有这些以太网选项,以太网将在家庭网络中保持强大的地位,补充 Wi-Fi 的优势。

With all of these Ethernet options, Ethernet will retain a strong presence in home networking, complementing the advantages of Wi-Fi.

 
办公室以太网
 

以太网长期以来也是办公环境中有线局域网 (LAN) 的主导网络技术。早期存在一些竞争对手,例如 IBM 的令牌环 LAN 和光纤分布式数据接口 (FDDI),但以太网硬件的简单性、性能和广泛可用性最终使以太网成为赢家。如今,与家庭网络一样,有线以太网技术与无线 Wi-Fi 技术并存。现在,典型办公环境中的大部分流量都通过 Wi-Fi 传输,特别是为了支持移动设备。以太网之所以保持其受欢迎程度,是因为它可以高速支持许多设备,不受干扰,并且由于能够抵抗窃听而提供安全优势。因此,以太网和Wi-Fi的组合是最常见的架构。

Ethernet has also long been the dominant network technology for wired local-area networks (LANs) in the office environment. Early on there were some competitors, such as IBM’s Token Ring LAN and the Fiber Distributed Data Interface (FDDI), but the simplicity, performance, and wide availability of Ethernet hardware eventually made Ethernet the winner. Today, as with home networks, the wired Ethernet technology exists side by side with the wireless Wi-Fi technology. Much of the traffic in a typical office environment now travels on Wi-Fi, particularly to support mobile devices. Ethernet retains its popularity because it can support many devices at high speeds, is not subject to interference, and provides a security advantage because it is resistant to eavesdropping. Therefore, a combination of Ethernet and Wi-Fi is the most common architecture.

 

图 1.4提供了企业 LAN 架构的简化示例。LAN 通过防火墙连接到 Internet/WAN。路由器和交换机的分层布置提供了服务器、固定用户设备和无线设备的互连。通常,无线设备仅连接在分层架构的边缘或底部;校园基础设施的其余部分都是以太网。还可能有一个 IP 电话服务器,它为企业网络中的电话操作提供呼叫控制功能(语音交换),并连接到公共交换电话网络 (PTSN)。

Figure 1.4 provides a simplified example of an enterprise LAN architecture. The LAN connects to the Internet/WANs via a firewall. A hierarchical arrangement of routers and switches provides the interconnection of servers, fixed user devices, and wireless devices. Typically, wireless devices are only attached at the edge or bottom of the hierarchical architecture; the rest of the campus infrastructure is all Ethernet. There may also be an IP telephony server that provides call control functions (voice switching) for the telephony operations in an enterprise network, with connectivity to the public switched telephone network (PTSN).

 
图像

图 1.4基本企业 LAN 架构

FIGURE 1.4 A Basic Enterprise LAN Architecture

 
企业中的以太网
 

以太网的一个巨大优势是,可以使用相同的以太网协议和相关的服务质量 (QoS) 和安全标准,在距离和数据速率方面扩展网络。企业可以使用混合电缆类型和以太网硬件,轻松地在同一园区甚至相隔一定距离的多个建筑物之间扩展以太网网络,链路范围从 10 Mbps 到 100 Gbps。由于所有硬件和通信软件都符合相同的标准,因此很容易混合不同速度和不同供应商的设备。相同的协议用于单个房间内的数据服务器、分布在整个建筑物中的工作站和服务器的密集高速互连,以及与 100 公里外其他建筑物中的以太网的链接。

A tremendous advantage of Ethernet is that it is possible to scale the network, both in terms of distance and data rate, with the same Ethernet protocol and associated quality of service (QoS) and security standards. An enterprise can easily extend an Ethernet network among a number of buildings on the same campus or even some distance apart, with links ranging from 10 Mbps to 100 Gbps, using a mixture of cable types and Ethernet hardware. Because all the hardware and communications software conform to the same standard, it is easy to mix different speeds and different vendor equipment. The same protocol is used for intensive high-speed interconnections of data servers in a single room, workstations and servers distributed throughout the building, and links to Ethernet networks in other buildings up to 100 km away.

 
数据中心中的以太网
 

与其他领域一样,以太网已在数据中心占据主导地位,数据中心需要非常高的数据速率来处理联网服务器和存储单元之间的大量数据。从历史上看,数据中心采用了各种技术来支持大容量、短距离的需求,包括 InfiniBand 和光纤通道。但现在以太网可以扩展到 100 Gbps,并且即将达到 400 Gbps,因此在整个企业中采用统一协议方法的理由非常引人注目。

As in other areas, Ethernet has come to dominate in the data center, where very high data rates are needed to handle massive volumes of data among networked servers and storage units. Historically, data centers have employed various technologies to support high-volume, short-distance needs, including InfiniBand and Fiber Channel. But now that Ethernet can scale up to 100 Gbps, with 400 Gbps on the horizon, the case for a unified protocol approach throughout the enterprise is compelling.

 

新以太网方法有两个值得注意的特点。对于共置服务器和存储单元,高速以太网光纤链路和交换机提供了所需的网络基础设施。以太网的另一个重要版本称为背板以太网。背板以太网通过铜跨接电缆运行,可在极短的距离内提供高达 100 Gbps 的传输速度。该技术非常适合刀片服务器,其中多个服务器模块安装在单个机箱中。

Two features of the new Ethernet approach are noteworthy. For co-located servers and storage units, high-speed Ethernet fiber links and switches provided the needed networking infrastructure. Another important version of Ethernet is known as backplane Ethernet. Backplane Ethernet runs over copper jumper cables that can provide up to 100 Gbps over very short distances. This technology is ideal for blade servers, in which multiple server modules are housed in a single chassis.

 
用于广域网的以太网
 

直到最近,以太网还不是广域网的一个重要因素。但逐渐地,越来越多的电信和网络提供商已从替代方案转向以太网,以支持广域访问(也称为第一英里或最后一英里)。以太网正在取代各种其他广域选项,例如专用 T1 线路、同步数字系列 (SDH) 线路和异步传输模式 (ATM)。当以这种方式使用时,应用术语“运营商以太网” 。术语城域以太网城域网 (MAN) 以太网,也被使用。以太网的优点是它可以无缝地融入企业网络并为其提供广域访问。但更重要的优势是,与传统的广域替代方案相比,运营商以太网在所使用的数据速率容量方面提供了更大的灵活性。

Until fairly recently, Ethernet was not a significant factor in wide-area networking. But gradually, more telecommunications and network providers have switched to Ethernet from alternative schemes to support wide-area access (also referred to as first mile or last mile). Ethernet is supplanting a variety of other wide-area options, such as dedicated T1 lines, synchronous digital hierarchy (SDH) lines, and Asynchronous Transfer Mode (ATM). When used in this fashion, the term carrier Ethernet is applied. The term metro Ethernet, or metropolitan-area network (MAN) Ethernet, is also used. Ethernet has the advantage that it seamlessly fits into the enterprise network for which it provides wide-area access. But a more important advantage is that carrier Ethernet provides much more flexibility in terms of the data rate capacity that is used, compared to traditional wide-area alternatives.

 

运营商以太网是发展最快的以太网技术之一,注定将成为企业访问广域网和互联网设施的主要手段。

Carrier Ethernet is one of the fastest-growing Ethernet technologies, destined to become the dominant means by which enterprises access wide-area networking and Internet facilities.

 

标准

Standards

 

IEEE 802 LAN 标准委员会内,802.3 小组负责发布 LAN(商业上称为以太网)的标准。为了补充 802.3 委员会的努力,称为以太网联盟的行业联盟支持并发起各种活动,从新以太网技术的孵化到互操作性测试,再到演示和教育。

Within the IEEE 802 LAN standards committee, the 802.3 group is responsible for issuing standards for LANs that are referred to commercially as Ethernet. Complementary to the efforts of the 802.3 committee, the industry consortium known as The Ethernet Alliance supports and originates activities that span from incubation of new Ethernet technologies to interoperability testing to demonstrations to education.

 
图像

IEEE 802.3 委员会

IEEE 802.3 Committee

 

以太网数据速率

Ethernet Data Rates

 

目前,以太网系统的速度高达 100 Gbps。这是一个简短的年表。

Currently, Ethernet systems are available at speeds up to 100 Gbps. Here’s a brief chronology.

 

图像 1983 年: 10 Mbps(兆位每秒、百万位每秒)

1983: 10 Mbps (megabit per second, million bits per second)

 

图像 1995 年: 100 Mbps

1995: 100 Mbps

 

图像 1998 年: 1 Gbps(千兆位每秒、十亿位每秒)

1998: 1 Gbps (gigabits per second, billion bits per second)

 

图像 2003 年: 10 Gbps

2003: 10 Gbps

 

图像 2010 年: 40 Gbps 和 100 Gbps

2010: 40 Gbps and 100 Gbps

 
图像

以太网联盟

The Ethernet Alliance

 

即将推出(截至撰写本文时)2.5、5、25、50 和 400 Gbps 标准(见图1.5)。

Coming soon (as of this writing) are standards at 2.5, 5, 25, 50, and 400 Gbps (see Figure 1.5).

 
图像

图 1.5以太网和 Wi-Fi 时间线

FIGURE 1.5 Ethernet and Wi-Fi Timelines

 
1 Gbps 以太网
 

多年来,以太网的初始标准 10 Mbps 足以满足大多数办公环境。到 20 世纪 90 年代初期,人们很明显需要更高的数据速率来支持典型 LAN 上不断增长的流量负载。主要驱动因素包括:

For a number of years, the initial standard of Ethernet, at 10 Mbps, was adequate for most office environments. By the early 1990s, it was clear that higher data rates were needed to support the growing traffic load on the typical LAN. Key drivers included the following:

 

图像 集中式服务器场:在许多多媒体应用程序中,客户端系统需要能够从多个集中式服务器(称为服务器场)获取大量数据。随着服务器性能的提高,网络成为瓶颈。

Centralized server farms: In many multimedia applications, there is a need for client system to be able to draw huge amounts of data from multiple, centralized servers, called server farms. As the performance of the servers has increased, the network becomes the bottleneck.

 

图像 电力工作组:这些组通常由少数需要通过网络交换大量数据文件的合作用户组成。示例应用包括软件开发和计算机辅助设计。

Power workgroups: These groups typically consist of a small number of cooperating users who need to exchange massive data files across the network. Example applications are software development and computer-aided design.

 

图像 高速本地骨干网:随着处理需求的增长,企业开发了多个局域网与高速骨干网互连的架构。

High-speed local backbone: As processing demand grows, enterprises develop an architecture of multiple LANs interconnected with a high-speed backbone network.

 

为了满足此类需求,IEEE 802.3 委员会制定了一套 100 Mbps 以太网规范,几年后又制定了 1 Gbps 系列标准。在每种情况下,新规范都定义了基于基本以太网框架的传输介质和传输编码方案,使得过渡比发布全新规范更容易。

To meet such needs, the IEEE 802.3 committee developed a set of specifications for Ethernet at 100 Mbps, followed a few years later by a 1-Gbps family of standards. In each case, the new specifications defined transmission media and transmission encoding schemes built on the basic Ethernet framework, making the transition easier than if a completely new specification were issued.

 
10 Gbps 以太网
 

尽管 1 Gbps 规范的墨迹已干,但本地流量的持续增长使得该规范不足以满足短期内的需求。因此,IEEE 802.3委员会很快发布了10Gbps以太网标准。10 Gbps 以太网的主要驱动需求是 Intranet(本地互连网络)和 Internet 流量的增加。许多因素导致了互联网和内联网流量的爆炸性增长:

Even as the ink was drying on the 1-Gbps specification, the continuing increase in local traffic made this specification inadequate for needs in the short-term future. Accordingly, the IEEE 802.3 committee soon issued a standard for 10-Gbps Ethernet. The principle driving requirement for 10-Gbps Ethernet was the increase in intranet (local interconnected networks) and Internet traffic. A number of factors contribute to the explosive growth in both Internet and intranet traffic:

 

图像网络连接数量增加

An increase in the number of network connections

 

图像每个终端站的连接速度提高(例如,10 Mbps 用户迁移到 100 Mbps,模拟 56k 用户迁移到 DSL 和电缆调制解调器)

An increase in the connection speed of each end-station (for example, 10-Mbps users moving to 100 Mbps, analog 56k users moving to DSL and cable modems)

 

图像高质量视频等带宽密集型应用的部署增加

An increase in the deployment of bandwidth-intensive applications such as high-quality video

 

图像网络托管和应用程序托管流量的增加

An increase in web hosting and application hosting traffic

 

最初,网络管理人员使用 10 Gbps 以太网在大容量交换机之间提供高速、本地主干互连。随着带宽需求的增加,10 Gbps 以太网开始在整个网络中部署,包括服务器群、骨干网和园区范围的连接。该技术使 ISP 和网络服务提供商 (NSP) 能够以极低的成本在共置的运营商级交换机和路由器之间创建极高速的链路。

Initially, network managers used 10-Gbps Ethernet to provide high-speed, local backbone interconnection between large-capacity switches. As the demand for bandwidth increased, 10-Gbps Ethernet began to be deployed throughout the entire network, to include server farm, backbone, and campus-wide connectivity. This technology enables ISPs and network service providers (NSPs) to create very high-speed links at a very low cost between co-located carrier-class switches and routers.

 

该技术还允许构建城域网和广域网,连接园区或接入点 (PoP) 之间地理上分散的 LAN。

The technology also allows the construction of MANs and WANs that connect geographically dispersed LANs between campuses or points of presence (PoPs).

 
100 Gbps 以太网
 

IEEE 802.3 委员会很快意识到需要比 10 Gbps 以太网提供更大的数据速率容量,以支持互联网交换、高性能计算和视频点播传输。授权请求认识到总体网络需求和终端站需求以不同的速率增长,从而证明新标准中需要两种不同的数据速率(40 Gbps 和 100 Gbps)。

The IEEE 802.3 committee soon realized the need for a greater data rate capacity than 10-Gbps Ethernet offers, to support Internet exchanges, high-performance computing, and video-on-demand delivery. The authorization request justified the need for two different data rates in the new standard (40 Gbps and 100 Gbps) by recognizing that aggregate network requirements and end-station requirements are increasing at different rates.

 

以下是 100 Gbps 以太网的市场驱动因素:

The following are market drivers for 100-Gbps Ethernet:

 

图像 数据中心/互联网媒体提供商:为了支持互联网多媒体内容和 Web 应用程序的增长,内容提供商一直在扩展数据中心,将 10 Gbps 以太网推向极限。可能是 100 Gbps 以太网的大量早期采用者。

Data center/Internet media providers: To support the growth of Internet multimedia content and web applications, content providers have been expanding data centers, pushing 10-Gbps Ethernet to its limits. Likely to be high-volume early adopters of 100-Gbps Ethernet.

 

图像 城域视频/服务提供商:视频点播一直在推动新一代 10 Gbps 以太网城域/核心网络的建设。从中期来看,可能会成为大量采用者。

Metro video/service providers: Video on demand has been driving a new generation of 10-Gbps Ethernet metropolitan/core network buildouts. Likely to be high-volume adopters in the medium term.

 

图像 企业局域网:语音/视频/数据融合和统一通信的持续增长正在推动网络交换机的需求。然而,大多数企业仍然依赖 1 Gbps 或 1 Gbps 和 10 Gbps 以太网的混合,并且 100 Gbps 以太网的采用可能会很缓慢。

Enterprise LANs: Continuing growth in convergence of voice/video/data and in unified communications is driving up network switch demands. However, most enterprises still rely on 1-Gbps or a mix of 1-Gbps and 10-Gbps Ethernet, and adoption of 100-Gbps Ethernet is likely to be slow.

 

图像 互联网交换/ISP 核心路由:由于大量流量流经这些节点,这些装置很可能成为 100 Gbps 以太网的早期采用者。

Internet exchanges/ISP core routing: With the massive amount of traffic flowing through these nodes, these installations are likely to be early adopters of 100-Gbps Ethernet.

 

图1.6所示为100Gbps以太网的应用示例。拥有大量刀片服务器的大型数据中心的趋势是在各个服务器上部署 10 Gbps 端口,以处理这些服务器提供的大量多媒体流量。通常,单个刀片服务器机架将包含多个服务器和一个或两个 10 Gbps 以太网交换机,用于互连所有服务器并提供与设施其余部分的连接。这些交换机通常安装在机架中,称为架顶式 (ToR) 交换机。术语“职责范围”已成为服务器访问交换机的代名词,即使它不是位于“机架顶部”。对于云提供商等超大型数据中心,多个刀片服务器机架与额外 10 Gbps 交换机的互连越来越不够。为了处理增加的流量负载,需要运行速度超过 10 Gbps 的交换机来支持服务器机架的互连,并为通过网络接口控制器 (NIC) 进行异地连接提供足够的容量。

Figure 1.6 shows an example of the application of 100-Gbps Ethernet. The trend at large data centers, with substantial banks of blade servers, is the deployment of 10-Gbps ports on individual servers to handle the massive multimedia traffic provided by these servers. Typically, a single blade server rack will contain multiple servers and one or two 10-Gbps Ethernet switches to interconnect all the servers and provide connectivity to the rest of the facility. The switches are often mounted in the rack and referred to as top-of-rack (ToR) switches. The term ToR has become synonymous with server access switch, even if it is not located “top of rack.” For very large data centers, such as cloud providers, the interconnection of multiple blade server racks with additional 10-Gbps switches is increasingly inadequate. To handle the increased traffic load, switches operating at greater than 10 Gbps are needed to support the interconnection of server racks and to provide adequate capacity for connecting offsite through network interface controllers (NICs).

 
图像

图 1.6大规模刀片服务器云站点的配置

FIGURE 1.6 Configuration for Massive Blade Server Cloud Site

 
25/50 Gbps 以太网
 

实现 100 Gbps 的选项之一是四个 25 Gbps 物理通道。因此,分别使用一个或两个通道来开发 25 Gbps 和 50 Gbps 以太网标准相对容易。拥有这两种基于 100 Gbps 技术的低速替代方案,将为用户提供更大的灵活性,通过可轻松扩展到更高数据速率的解决方案来满足现有和近期需求。

One of the options for implementing 100-Gbps is as four 25-Gbps physical lanes. Therefore, it would be relatively easy to develop standards for 25-Gbps and 50-Gbps Ethernet, using one or two lanes, respectively. Having these two lower-speed alternatives, based on the 100-Gbps technology, would give users more flexibility in meeting existing and near-term demands with a solution that would scale easily to higher data rates.

 

基于这些考虑,包括 Google 和 Microsoft 在内的多家领先云网络提供商组建了 25 Gigabit 以太网联盟。该联盟的目标是支持行业标准、可互操作的以太网规范,以提高性能并降低 NIC 和 ToR 交换机之间每 Gbps 的互连成本。该联盟采用的规范规定了单通道 25 Gbps 以太网和双通道 50 Gbps 以太网链路协议,与 10-10 通道相比,机架端点和交换机之间的双轴铜线上每个物理通道的性能提高了 2.5 倍。 Gbps 和 40 Gbps 以太网链路。IEEE 802.3 委员会正在开发 25 Gbps 所需的标准,并可能包括 50 Gbps。

Such considerations have led to the form of the 25 Gigabit Ethernet Consortium by a number of leading cloud networking providers, including Google and Microsoft. The objective of the Consortium is to support an industry-standard, interoperable Ethernet specification that boosts the performance and slashes the interconnect cost per Gbps between the NIC and ToR switch. The specification adopted by the Consortium prescribes a single-lane 25-Gbps Ethernet and dual-lane 50-Gbps Ethernet link protocol, enabling up to 2.5 times higher performance per physical lane on twinax copper wire between the rack endpoint and switch compared to 10-Gbps and 40-Gbps Ethernet links. The IEEE 802.3 committee is at work developing the needed standards for 25 Gbps and may include 50 Gbps.

 

现在判断这些不同的选项(25、40、50、100 Gbps)将如何在市场上发挥作用还为时过早。从中期来看,100 Gbps 交换机可能会在大型站点中占据主导地位,但这些速度较慢且更便宜的替代方案的可用性为企业提供了多种扩展途径,以满足不断增长的需求。

It is too early to say how these various options (25, 40, 50, 100 Gbps) will play out in the marketplace. In the intermediate term, the 100-Gbps switch is likely to predominate at large sites, but the availability of these slower and cheaper alternatives gives enterprises a number of paths for scaling up to meet increasing demand.

 
400 Gbps 以太网
 

需求的增长从未放缓。IEEE 802.3 目前正在探索制定 400 Gbps 以太网标准的技术选项,但尚未制定时间表。超越这一里程碑,人们普遍认为最终将产生 1-Tbps(太比特每秒,万亿比特每秒)标准。

The growth in demand never lets up. IEEE 802.3 is currently exploring technology options for producing a 400-Gbps Ethernet standard, although no timetable is yet in place. Looking beyond that milestone, there is widespread acknowledgment that a 1-Tbps (terabits per second, trillion bits per second) standard will eventually be produced.

 
2.5/5 Gbps 以太网
 

作为以太网多功能性和普遍性的证明,同时更高的数据速率正在标准化,人们正在就两种较低速率的标准化达成共识:2.5 Gbps 和 5 Gbps。这些相对较低的速度也称为多速率千兆位 BASE-T (MGBASE-T)。目前,MGBASE-T 联盟正在 IEEE 之外监督这些标准的开发。IEEE 802.3 委员会很可能最终会根据这些行业努力发布标准。

As a testament to the versatility and ubiquity of Ethernet, and at the same time that ever higher data rates are being standardized, consensus is developing to standardize two lower rates: 2.5 Gbps and 5 Gbps. These relatively low speeds are also known as Multirate Gigabit BASE-T (MGBASE-T). Currently, the MGBASE-T Alliance is overseeing the development of these standards outside of IEEE. It is likely that the IEEE 802.3 committee will ultimately issue standards based on these industry efforts.

 

这些新的数据速率主要是为了支持 IEEE 802.11ac 无线流量进入有线网络。IEEE 802.11ac 是一种 3.2 Gbps Wi-Fi 标准,在需要超过 1 Gbps 吞吐量的情况下正在获得认可,例如支持办公环境中的移动用户。这种新的无线标准超出了 1 Gbps 以太网链路支持,但可能不需要下一步,即 10 Gbps。假设 2.5 和 5 Gbps 可以在支持 1 Gbps 的同一条电缆上工作,这将为支持 802.11ac 无线电及其高带宽功能的接入点提供急需的上行链路速度改进。

These new data rates are mainly intended to support IEEE 802.11ac wireless traffic into a wired network. IEEE 802.11ac is a 3.2-Gbps Wi-Fi standard that is gaining acceptance where more than 1 Gbps of throughput is needed, such as to support mobile users in the office environment. This new wireless standard overruns 1-Gbps Ethernet link support but may not require the next step up, which is 10 Gbps. Assuming that 2.5 and 5 Gbps can be made to work over the same cable that supports 1 Gbps, this would provide a much needed uplink speed improvement for access points supporting 802.11ac radios with their high bandwidth capabilities.

 

1.4 无线网络

1.4 Wi-Fi

 

正如以太网已成为有线局域网的主导技术一样,由 IEEE 802.11 委员会标准化的Wi-Fi也已成为无线局域网的主导技术。本概述部分讨论 Wi-Fi 的应用,然后讨论标准和性能。

Just as Ethernet has become the dominant technology for wired LANs, so Wi-Fi, standardized by the IEEE 802.11 committee, has become the dominant technology for wireless LANs. This overview section discusses applications of Wi-Fi and then looks at standards and performance.

 

Wi-Fi的应用

Applications of Wi-Fi

 

Wi-Fi 是主要的无线互联网接入技术,用于家庭、办公室和公共场所。现在,家庭中的 Wi-Fi 可连接电脑、平板电脑、智能手机以及摄像机、电视和恒温器等许多电子设备。无线上网在企业中已成为提高工人生产力和网络有效性的重要手段。公共 Wi-Fi 热点已大幅扩展,可在必要的公共场所提供免费互联网接入。

Wi-Fi is the predominant wireless Internet access technology, used in homes, offices, and public spaces. Wi-Fi in the home now connects computers, tablets, smartphones, and a host of electronic devices, such as video cameras, TVs, and thermostats. Wi-Fi in the enterprise has become an essential means of enhancing worker productivity and network effectiveness. And public Wi-Fi hotspots have expanded dramatically to provide free Internet access in must public places.

 
家里的 Wi-Fi
 

Wi-Fi 在家庭中的第一个重要用途是取代以太网电缆,用于将台式机和笔记本电脑相互连接以及与互联网连接。典型的布局是带有连接路由器/调制解调器的台式计算机,提供互联网接口。其他台式机和笔记本电脑通过以太网或 Wi-Fi 连接到中央路由器,以便所有家庭计算机可以相互通信并与互联网通信。Wi-Fi 极大地简化了连接。不仅不需要物理电缆连接,而且笔记本电脑可以轻松地从一个房间移动到另一个房间,甚至移动到屋外。

The first important use of Wi-Fi in the home was to replace Ethernet cabling for connecting desktop and laptop computers with each other and with the Internet. A typical layout is a desktop computer with an attached router/modem that provides an interface to the Internet. Other desktop and laptop computers connect either via Ethernet or Wi-Fi to the central router, so that all the home computers can communicate with each other and with the Internet. Wi-Fi greatly simplified the hookup. Not only is there no need for a physical cable hookup, but the laptops can be moved easily from room to room or even outside the house.

 

如今,Wi-Fi 在家庭中的重要性已大大提高。Wi-Fi 仍然是互连家庭计算机网络的默认方案。由于 Wi-Fi 和蜂窝网络功能现已成为智能手机和平板电脑的标准配置,因此家庭 Wi-Fi 提供了一种经济高效的互联网方式。智能手机或平板电脑将自动使用 Wi-Fi 连接到互联网(如果可用),并且仅在 Wi-Fi 连接不可用时才切换到更昂贵的蜂窝连接。Wi-Fi 对于实现互联网的最新发展:物联网至关重要。

Today, the importance of Wi-Fi in the home has expanded tremendously. Wi-Fi remains the default scheme for interconnecting a home computer network. Because both Wi-Fi and cellular capability are now standard on both smartphones and tablets, the home Wi-Fi provides a cost-effective way to the Internet. The smartphone or tablet will automatically use a Wi-Fi connection to the Internet if available, and only switch to the more expensive cellular connection if the Wi-Fi connection is not available. And Wi-Fi is essential to implementing the latest evolution of the Internet: the Internet of Things.

 
公共无线网络
 

近年来,通过 Wi-Fi 访问互联网的情况急剧扩大,因为越来越多的设施提供 Wi-Fi 热点,使任何 Wi-Fi 设备都可以连接。咖啡店、餐馆、火车站、机场、图书馆、酒店、医院、百货商店、房车公园和许多其他地方都提供 Wi-Fi 热点。可用的热点如此之多,以至于很少有距离热点太远的情况。现在有许多平板电脑和智能手机应用程序增加了便利性。

Access to the Internet via Wi-Fi has expanded dramatically in recent years, as more and more facilities provide a Wi-Fi hotspot, which enables any Wi-Fi device to attach. Wi-Fi hotspots are provided in coffee shops, restaurants, train stations, airports, libraries, hotels, hospitals, department stores, RV parks, and many other places. So many hotspots are available that it is rare to be too far from one. There are now numerous tablet and smartphone apps that increase their convenience.

 

随着卫星Wi-Fi热点的发展,即使是非常偏远的地方也能够支持热点。第一个开发此类产品的公司是卫星通信公司 Iridium。卫星调制解调器最初将提供相对低速的连接,但数据速率将不可避免地增加。

Even very remote places will be able to support hotspots with the development of the satellite Wi-Fi hotspot. The first company to develop such a product is the satellite communications company Iridium. The satellite modem will initially provide a relatively low-speed connection, but the data rates will inevitably increase.

 
企业无线网络
 

Wi-Fi 的经济效益在企业中体现得最为明显。许多各种规模的组织(包括公共和私营部门)都提供了与企业网络的 Wi-Fi 连接。但近年来,Wi-Fi 的使用急剧扩大,目前大约有一半的企业使用 Wi-Fi网络流量通过 Wi-Fi 而不是传统的以太网。有两种趋势推动了企业向以 Wi-Fi 为中心的转变。首先,需求增加,越来越多的员工更喜欢使用笔记本电脑、平板电脑和智能手机连接到企业网络,而不是台式电脑。其次,千兆以太网,特别是IEEE 802.ac标准的到来,使得企业网络能够同时支持许多移动设备的高速连接。

The economic benefit of Wi-Fi is most clearly seen in the enterprise. Wi-Fi connections to the enterprise network have been offered by many organizations of all sizes, including public and private sector. But in recent years, the use of Wi-Fi has expanded dramatically, to the point that now approximately half of all enterprise network traffic is via Wi-Fi rather then the traditional Ethernet. Two trends have driven the transition to a Wi-Fi-centered enterprise. First, the demand has increased, with more and more employees preferring to use laptops, tablets, and smartphones to connect to the enterprise network, rather than a desktop computer. Second, the arrival of Gigabit Ethernet, especially the IEEE 802.ac standard, allows the enterprise network to support high-speed connections to many mobile devices simultaneously.

 

Wi-Fi 曾经仅提供旨在覆盖会议和公共区域的辅助网络,而企业 Wi-Fi 部署现在通常提供无处不在的覆盖,包括主要办公室和远程设施以及它们周围的室内位置和室外空间。企业接受了这种需求,然后开始鼓励这种称为自带设备 (BYOD) 的做法。除了家庭和公共 Wi-Fi 网络的广泛可用性之外,笔记本电脑、平板电脑和智能手机上的 Wi-Fi 功能几乎普遍可用,这使该组织受益匪浅。员工可以使用相同的设备和相同的应用程序继续工作或检查电子邮件,无论他们身在何处——家里、当地的咖啡店或旅行时。从企业角度来看,

Whereas Wi-Fi once merely provided an accessory network designed to cover meetings and public areas, enterprise Wi-Fi deployment now generally provides ubiquitous coverage, to include main offices and remote facilities, and both indoor locations and outdoor spaces surrounding them. Enterprises accepted the need for, and then began to encourage, the practice known as bring your own device (BYOD). The almost universal availability of Wi-Fi capability on laptops, tablets, and smartphones, in addition to the wide availability of home and public Wi-Fi networks, has greatly benefited the organization. Employees can use the same devices and the same applications to continue their work or check their e-mail from wherever they are—home, at their local coffee shop, or while traveling. From the enterprise perspective, this means higher productivity and efficiency and lower costs.

 

标准

Standards

 

Wi-Fi 成功的关键是互操作性。支持 Wi-Fi 的设备必须能够与 Wi-Fi 接入点(例如家庭路由器、企业接入点和公共热点)进行通信,无论设备或接入点的制造商是什么。这种互操作性由两个组织保证。首先,IEEE 802.11 无线 LAN 委员会开发 Wi-Fi 的协议和信令标准。然后,Wi-Fi 联盟创建测试套件来验证符合各种 IEEE 802.11 标准的商业产品的互操作性。Wi-Fi (无线保真度)一词用于表示经联盟认证的产品。

Essential to the success of Wi-Fi is interoperability. Wi-Fi-enabled devices must be able to communicate with Wi-Fi access points, such as the home router, the enterprise access point, and public hotspots, regardless of the manufacturer of the device or access point. Such interoperability is guaranteed by two organizations. First, the IEEE 802.11 wireless LAN committee develops the protocol and signaling standards for Wi-Fi. Then, the Wi-Fi Alliance creates test suites to certify interoperability for commercial products that conform to various IEEE 802.11 standards. The term Wi-Fi (wireless fidelity) is used for products certified by the Alliance.

 
图像

IEEE 802.11 无线局域网工作组

IEEE 802.11 Wireless LAN Working Group

 
图像

无线网络联盟

Wi-Fi Alliance

 

Wi-Fi 数据速率

Wi-Fi Data Rates

 

正如企业和家庭用户需要将以太网标准扩展到每秒千兆位 (Gbps) 范围内的速度一样,Wi-Fi 也存在同样的要求。随着天线技术、无线传输技术和无线协议设计的发展,IEEE 802.11 委员会已经能够以更高的速度推出新版本 Wi-Fi 标准。标准一经发布,业界迅速开发产品。以下是一个简短的年表,从最初的标准(简称 IEEE 802.11)开始,并显示每个版本的最大数据速率(图 1.5):

Just as businesses and home users have generated a need to extend the Ethernet standard to speeds in the gigabits per second (Gbps) range, the same requirement exists for Wi-Fi. As the technology of antennas, wireless transmission techniques, and wireless protocol design has evolved, the IEEE 802.11 committee has been able to introduce standards for new versions of Wi-Fi at ever-higher speeds. Once the standard is issued, industry quickly develops the products. Here’s a brief chronology, starting with the original standard, which was simply called IEEE 802.11, and showing the maximum data rate for each version (Figure 1.5):

 

图像 802.11 (1997): 2 Mbps(兆位每秒、百万位每秒)

802.11 (1997): 2 Mbps (megabits per second, million bits per second)

 

图像 802.11a (1999): 54 Mbps

802.11a (1999): 54 Mbps

 

图像 802.11b (1999): 11 Mbps

802.11b (1999): 11 Mbps

 

图像 802.11n (1999): 600 Mbps

802.11n (1999): 600 Mbps

 

图像 802.11g (2003): 54 Mbps

802.11g (2003): 54 Mbps

 

图像 802.11ad (2012): 6.76 Gbps(每秒十亿位)

802.11ad (2012): 6.76 Gbps (billion bits per second)

 

图像 802.11ac (2014): 3.2 Gbps

802.11ac (2014): 3.2 Gbps

 

IEEE 802.11ac 以及较旧且速度较慢的标准 802.11a 和 802.11n 均在 5 GHz 频段运行。它旨在提供 802.11n 的平滑演进。这一新标准利用天线设计和信号处理方面的先进技术,以更低的电池消耗实现更高的数据速率,所有这些都在与旧版本 Wi-Fi 相同的频段内。

IEEE 802.11ac operates in the 5-GHz band, as does the older and slower standards 802.11a and 802.11n. It is designed to provide a smooth evolution from 802.11n. This new standard makes use of advanced technologies in antenna design and signal processing to achieve much greater data rates, at lower battery consumption, all within the same frequency band as the older versions of Wi-Fi.

 

IEEE 802.11ad 是在 60 GHz 频段运行的 802.11 版本。该频段具有比 5 GHz 频段更宽的信道带宽的潜力,可通过相对简单的信号编码和天线特性实现高数据速率。很少有设备在 60 GHz 频段运行,这意味着通信受到的干扰比用于 Wi-Fi 的其他频段要少。

IEEE 802.11ad is a version of 802.11 operating in the 60-GHz frequency band. This band offers the potential for much wider channel bandwidth than the 5-GHz band, enabling high data rates with relatively simple signal encoding and antenna characteristics. Few devices operate in the 60-GHz band, which means communication experiences less interference than in the other bands used for Wi-Fi.

 

由于 60 GHz 频段固有的传输限制,802.11ad 可能仅在单个房间内有用。由于它可以支持高数据速率,并且可以轻松传输未压缩的高清视频,因此它适用于更换家庭娱乐系统中的电线或将高清电影从手机流式传输到电视等应用。

Because of the inherent transmission limitations of the 60-GHz band, 802.11ad is likely to be useful only within a single room. Because it can support high data rates and, for example, could easily transmit uncompressed high-definition video, it is suitable for applications such as replacing wires in a home entertainment system, or streaming high-definition movies from your cell phone to your television.

 

千兆位 Wi-Fi 对办公和住宅环境都具有吸引力,商业产品也开始推出。在办公环境中,对更高数据速率的需求催生了 10 Gbps、40 Gbps 以及最近的 100 Gbps 以太网产品。需要这些巨大的容量来支持刀片服务器、对视频和多媒体的严重依赖以及异地的多个宽带连接。与此同时,无线 LAN 的使用在办公室环境中急剧增长,以满足移动性和灵活性的需求。由于办公室 LAN 的固定部分可提供千兆位范围的数据速率,因此需要千兆位 Wi-Fi 来使移动用户能够有效地使用办公室资源。IEEE 802.11ac 可能是此环境的首选千兆位 Wi-Fi 选项。

Gigabit Wi-Fi holds attractions for both office and residential environments and commercial products are beginning to roll out. In the office environment, the demand for ever greater data rates has led to Ethernet offerings at 10 Gbps, 40 Gbps, and most recently 100 Gbps. These stupendous capacities are needed to support blade servers, heavy reliance on video and multimedia, and multiple broadband connections offsite. At the same time, the use of wireless LANs has grown dramatically in the office setting to meet needs for mobility and flexibility. With the gigabit-range data rates available on the fixed portion of the office LAN, gigabit Wi-Fi is needed to enable mobile users to effectively use the office resources. IEEE 802.11ac is likely to be the preferred gigabit Wi-Fi option for this environment.

 

在消费者和住宅市场中,IEEE 802.11ad 可能会因其低功耗、短距离无线 LAN 功能而受到欢迎,并且几乎不会干扰其他设备。在需要短距离移动大量数据的专业媒体制作环境中,IEEE 802.11ad 也是一个有吸引力的选择。

In the consumer and residential market, IEEE 802.11ad is likely to be popular as a low-power, short-distance wireless LAN capability with little likelihood of interfering with other devices. IEEE 802.11ad is also an attractive option in professional media production environments in which massive amounts of data need to be moved short distances.

 

1.5 4G/5G 蜂窝

1.5 4G/5G Cellular

 

蜂窝技术是移动无线通信的基础,可为有线网络不易服务的地区的用户提供支持。蜂窝技术是移动电话、个人通信系统、无线互联网和无线网络应用程序等的基础技术。本节着眼于蜂窝技术如何发展了四代并准备进入第五代。

Cellular technology is the foundation of mobile wireless communications and supports users in locations that are not easily served by wired networks. Cellular technology is the underlying technology for mobile telephones, personal communications systems, wireless Internet and wireless web applications, and much more. This section looks at how cellular technology has evolved through four generations and is poised for a fifth generation.

 

第一代

First Generation

 

最初的蜂窝网络(现在被称为 1G)提供模拟流量信道,并被设计为公共交换电话网络的延伸。使用砖块大小的手机的用户拨打和接听电话的方式与固定电话用户相同。部署最广泛的 1G 系统是 AT&T 开发的高级移动电话服务 (AMPS)。语音传输是纯模拟的,控制信号通过 10 kbps 模拟通道发送。

The original cellular networks, now dubbed 1G, provided analog traffic channels and were designed to be an extension of the public switched telephone networks. Users with brick-sized cell phones placed and received calls in the same fashion as landline subscribers. The most widely deployed 1G system was the Advanced Mobile Phone Service (AMPS), developed by AT&T. Voice transmission was purely analog and control signals were sent over a 10-kbps analog channel.

 

第二代

Second Generation

 

第一代蜂窝网络很快变得非常流行,威胁到可用容量。第二代 (2G) 系统的开发目的是提供更高质量的信号、更高的数据速率以支持数字服务以及更大的容量。1G 和 2G 网络之间的主要区别包括:

First-generation cellular networks quickly became highly popular, threatening to swamp available capacity. Second-generation (2G) systems were developed to provide higher-quality signals, higher data rates for support of digital services, and greater capacity. Key differences between 1G and 2G networks include the following:

 

图像 数字流量通道:两代之间最显着的区别是1G系统几乎是纯模拟的,而2G系统是数字的。特别是,1G系统被设计为支持语音通道;数字流量仅通过使用将数字数据转换为模拟形式的调制解调器来支持。2G系统提供数字业务通道。这些系统很容易支持数字数据;语音流量在传输之前首先以数字形式编码。

Digital traffic channels: The most notable difference between the two generations is that 1G systems are almost purely analog, whereas 2G systems are digital. In particular, 1G systems are designed to support voice channels; digital traffic is supported only by the use of a modem that converts the digital data into analog form. 2G systems provide digital traffic channels. These systems readily support digital data; voice traffic is first encoded in digital form before transmitting.

 

图像 加密:由于2G系统中所有的用户流量和控制流量都是数字化的,因此对所有流量进行加密以防止窃听是一件相对简单的事情。所有 2G 系统都提供此功能,而 1G 系统则以明文形式发送用户流量,不提供任何安全性。

Encryption: Because all the user traffic, and the control traffic, is digitized in 2G systems, it is a relatively simple matter to encrypt all the traffic to prevent eavesdropping. All 2G systems provide this capability, whereas 1G systems send user traffic in the clear, providing no security.

 

图像 错误检测和纠正: 2G 系统的数字流量也适合使用错误检测和纠正技术。结果可以得到非常清晰的语音接收。

Error detection and correction: The digital traffic stream of 2G systems also lends itself to the use of error detection and correction techniques. The result can be very clear voice reception.

 

图像 信道接入:在1G系统中,每个小区支持多个信道。在任何给定时间,信道仅分配给一个用户。2G系统还提供每个小区有多个信道,但每个信道都由多个用户动态共享。

Channel access: In 1G systems, each cell supports a number of channels. At any given time a channel is allocated to only one user. 2G systems also provide multiple channels per cell, but each channel is dynamically shared by a number of users.

 

第三代

Third Generation

 

第三代( 3G )无线通信的目标是提供相当高速的无线通信,以支持除语音之外的多媒体、数据和视频。3G 系统具有以下共同的设计特点:

The objective of the third generation (3G) of wireless communication is to provide fairly high-speed wireless communications to support multimedia, data, and video in addition to voice. 3G systems share the following design features:

 

图像 带宽:所有 3G 系统的一个重要设计目标是将信道使用限制在 5 MHz。实现这一目标有几个原因。一方面,与更窄的带宽相比,5 MHz 或更高的带宽可以提高接收器解决多径问题的能力。另一方面,可用频谱受到竞争需求的限制,5 MHz 是可分配给 3G 的合理上限。最后,5 MHz 足以支持 144 和 384 kbps 的数据速率,这是 3G 服务的主要目标。

Bandwidth: An important design goal for all 3G systems is to limit channel usage to 5 MHz. There are several reasons for this goal. On the one hand, a bandwidth of 5 MHz or more improves the receiver’s ability to resolve multipath when compared to narrower bandwidths. On the other hand, the available spectrum is limited by competing needs, and 5 MHz is a reasonable upper limit on what can be allocated for 3G. Finally, 5 MHz is adequate for supporting data rates of 144 and 384 kbps, the main targets for 3G services.

 

图像 数据速率:目标数据速率为 144 和 384 kbps。一些 3G 系统还支持高达 2 Mbps 的办公用途。

Data rate: Target data rates are 144 and 384 kbps. Some 3G systems also provide support up to 2 Mbps for office use.

 

图像 多速率:术语多速率是指向给定用户提供多个固定数据速率逻辑信道,其中在不同逻辑信道上提供不同的数据速率。此外,每个逻辑信道上的流量可以通过无线和固定网络独立地切换到不同的目的地。多速率的优点在于,系统可以灵活地支持给定用户的多个同时应用,并且可以通过仅提供每个服务所需的容量来有效地使用可用容量。

Multirate: The term multirate refers to the provision of multiple fixed-data-rate logical channels to a given user, in which different data rates are provided on different logical channels. Further, the traffic on each logical channel can be switched independently through the wireless and fixed networks to different destinations. The advantage of multirate is that the system can flexibly support multiple simultaneous applications from a given user and can efficiently use available capacity by only providing the capacity required for each service.

 

第四代

Fourth Generation

 

智能手机和蜂窝网络的发展催生了新一代的功能和标准,统称为 4G。4G 系统为笔记本电脑、智能手机和平板电脑等各种移动设备提供超宽带互联网接入。4G网络支持移动网络访问和高清手机电视、移动视频会议、游戏服务等高带宽应用。

The evolution of smartphones and cellular networks has ushered in a new generation of capabilities and standards, which is collectively called 4G. 4G systems provide ultra-broadband Internet access for a variety of mobile devices including laptops, smartphones, and tablets. 4G networks support Mobile web access and high-bandwidth applications such as high-definition mobile TV, mobile video conferencing, and gaming services.

 

这些要求催生了第四代 ( 4G ) 移动无线技术的发展,该技术旨在最大限度地提高带宽和吞吐量,同时最大限度地提高频谱效率。4G系统具有以下特点:

These requirements have led to the development of a fourth generation (4G) of mobile wireless technology that is designed to maximize bandwidth and throughput while also maximizing spectral efficiency. 4G systems have the following characteristics:

 

图像基于全IP分组交换网络

Based on an all-IP packet switched network

 

图像对于高移动性移动访问,支持高达约 100 Mbps 的峰值数据速率;对于本地无线访问等低移动性访问,支持高达约 1 Gbps 的峰值数据速率

Support peak data rates of up to approximately 100 Mbps for high-mobility mobile access and up to approximately 1 Gbps for low-mobility access such as local wireless access

 

图像动态共享和使用网络资源以支持每个小区更多的并发用户

Dynamically share and use the network resources to support more simultaneous users per cell

 

图像支持异构网络平滑切换

Support smooth handovers across heterogeneous networks

 

图像支持下一代多媒体应用的高QoS

Support high QoS for next-generation multimedia applications

 

与前几代相比,4G 系统不支持传统的电路交换电话服务,仅提供 IP 电话服务。

In contrast to earlier generations, 4G systems do not support traditional circuit-switched telephony service, providing only IP telephony services.

 

第五代

Fifth Generation

 

5G系统还需要几年时间(也许 2020 年),但 5G 技术可能是一个活跃的研究领域。到 2020 年,平板电脑和智能手机产生的大量数据流量将因来自物联网的同样巨大甚至可能更大的流量而增加,物联网包括鞋子、手表、电器、汽车、恒温器、门锁, 以及更多。

5G systems are still some years away (perhaps 2020), but 5G technologies are likely an area of active research. By 2020, the huge amounts of data traffic generated by tablets and smartphones will be augmented by an equally huge, and perhaps much larger, amount of traffic from the Internet of Things, which includes shoes, watches, appliances, cars, thermostats, door locks, and much more.

 

有了 4G,我们可能已经达到了网络效率回报递减的地步。未来将会有逐步的改进,但传输效率的显着提高似乎不太可能。相反,5G 的重点将是在网络中构建更多智能,通过动态使用优先级、自适应网络重新配置和其他网络管理技术来满足服务质量需求。

With 4G, we may have reached a point of diminishing returns on network efficiency. There will be incremental improvements in the future, but significant increases in transmission efficiency seem unlikely. Instead, the focus for 5G will be on building more intelligence into the network, to meet service quality demands by dynamic use of priorities, adaptive network reconfiguration, and other network management techniques.

 

1.6 云计算

1.6 Cloud Computing

 

本节简要概述了云计算,本书稍后将更详细地介绍云计算。

This section provides a brief overview of cloud computing, which is dealt with in greater detail later in the book.

 

尽管云计算的一般概念可以追溯到 20 世纪 50 年代,但云计算服务在 2000 年代初首次出现,特别针对大型企业。从那时起,云计算已经扩展到中小型企业,最近又扩展到消费者。苹果的iCloud于2012年推出,推出一周内就拥有2000万用户。Evernote 是一项基于云的笔记和存档服务,于 2008 年推出,在不到六年的时间里拥有了 1 亿用户。2014 年末,谷歌宣布 Google Drive 拥有近 25 亿活跃用户。在这里,我们来看看云的关键要素,包括云计算、云网络和云存储。

Although the general concepts for cloud computing go back to the 1950s, cloud computing services first became available in the early 2000s, particularly targeted at large enterprises. Since then, cloud computing has spread to small- and medium-size businesses, and most recently to consumers. Apple’s iCloud was launched in 2012 and had 20 million users within a week of launch. Evernote, the cloud-based note-taking and archiving service, launched in 2008, approached 100 million users in less than six years. In late 2014, Google announced that Google Drive had almost a quarter of a billion active users. Here, we look at the key elements of clouds, including cloud computing, cloud networking, and cloud storage.

 

图像 请参阅第 13 章云计算

See Chapter 13, “Cloud Computing

 

云计算概念

Cloud Computing Concepts

 

在许多组织中,将大部分甚至全部 IT 运营转移到称为企业云计算的互联网连接基础设施上的趋势越来越明显。与此同时,PC和移动设备的个人用户越来越依赖云计算服务来使用个人云计算来备份数据、同步设备和共享。

There is an increasingly prominent trend in many organizations to move a substantial portion or even all IT operations to an Internet-connected infrastructure known as enterprise cloud computing. At the same time, individual users of PCs and mobile devices are relying more and more on cloud computing services to back up data, sync devices, and share, using personal cloud computing.

 

美国国家标准与技术研究院 (NIST) 将云计算的基本特征定义如下:

The National Institute of Standards and Technology (NIST) defines the essential characteristics of cloud computing as follows:

 

图像 广泛的网络访问:功能可通过网络获得,并通过标准机制进行访问,促进异构瘦客户端或胖客户端平台(例如移动电话、笔记本电脑和个人数字助理 [PDA])和其他传统或基于云的软件的使用服务。

Broad network access: Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (for example, mobile phones, laptops, and personal digital assistants [PDAs]) and other traditional or cloud-based software services.

 

图像 快速弹性:云计算使您能够根据特定的服务需求扩展和减少资源。例如,在特定任务的持续时间内,您可能需要大量服务器资源。然后,您可以在任务完成后释放这些资源。

Rapid elasticity: Cloud computing enables you to expand and reduce resources according to your specific service requirement. For example, you may need a large number of server resources for the duration of a specific task. You can then release these resources upon completion of the task.

 

图像 可测量的服务:云系统通过在适合服务类型(例如存储、处理、带宽和活动用户帐户)的某种抽象级别上利用计量功能,自动控制和优化资源使用。可以监视、控制和报告资源使用情况,为所使用服务的提供者和消费者提供透明度。

Measured service: Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (for example, storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.

 

图像 按需自助服务:消费者可以根据需要自动单方面提供计算能力,例如服务器时间和网络存储,而无需与每个服务提供商进行人工交互。由于服务是按需提供的,因此资源并不是 IT 基础设施的永久部分。

On-demand self-service: A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider. Because the service is on demand, the resources are not permanent parts of your IT infrastructure.

 

图像 资源池:提供商的计算资源通过多租户模型汇集起来为多个消费者提供服务,不同的物理和虚拟资源根据消费者的需求动态分配和重新分配。存在一定程度的位置独立性,因为客户通常无法控制或了解所提供资源的确切位置,但可能能够在更高的抽象级别指定位置(例如,国家、州或数据中心) )。资源的示例包括存储、处理、内存、网络带宽和虚拟机。即使是私有云也倾向于在同一组织的不同部分之间共享资源。

Resource pooling: The provider’s computing resources are pooled to serve multiple consumers using a multitenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a degree of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources, but may be able to specify location at a higher level of abstraction (for example, country, state, or data center). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines. Even private clouds tend to pool resources between different parts of the same organization.

 

图 1.7说明了典型的云服务环境。企业在企业 LAN 或 LAN 组中维护工作站,这些工作站通过路由器通过网络或 Internet 连接到云服务提供商。云服务提供商维护着大量服务器,并通过各种网络管理、冗余和安全工具对其进行管理。图中,云基础设施显示为刀片服务器的集合,这是一种常见的架构。

Figure 1.7 illustrates the typical cloud service context. An enterprise maintains workstations within an enterprise LAN or set of LANs, which are connected by a router through a network or the Internet to the cloud service provider. The cloud service provider maintains a massive collection of servers, which it manages with a variety of network management, redundancy, and security tools. In the figure, the cloud infrastructure is shown as a collection of blade servers, which is a common architecture.

 
图像

图 1.7云计算环境

FIGURE 1.7 Cloud Computing Context

 

云计算的好处

The Benefits of Cloud Computing

 

云计算提供了规模经济、专业的网络管理和专业的安全管理。这些功能对于大大小小的公司、政府机构以及个人电脑和移动用户都很有吸引力。个人或公司只需为他们需要的存储容量和服务付费。用户,无论是公司还是个人,都无需经历搭建数据库系统、获取所需硬件、维护、备份数据的麻烦;这一切都是云服务的一部分。

Cloud computing provides economies of scale, professional network management, and professional security management. These features can be attractive to companies large and small, government agencies, and individual PC and mobile users. The individual or company needs to pay only for the storage capacity and services they need. The user, be it company or individual, does not have the hassle of setting up a database system, acquiring the hardware they need, doing maintenance, and backup up the data; all this is part of the cloud service.

 

从理论上讲,使用云计算存储数据并与其他人共享数据的另一大优势是云提供商负责安全性。可惜的是,客户并不总是受到保护。云提供商之间存在许多安全故障。Evernote 在 2013 年初成为头条新闻,当时它要求所有用户在发现入侵后重置密码。第 16 章安全性”讨论了云安全性。

In theory, another big advantage of using cloud computing to store your data and share it with others is that the cloud provider takes care of security. Alas, the customer is not always protected. There have been a number of security failures among cloud providers. Evernote made headlines in early 2013 when it told all of its users to reset their passwords after an intrusion was discovered. Cloud security is addressed in Chapter 16, “Security.”

 

云网络

Cloud Networking

 

云网络是指启用云计算必须具备的网络和网络管理功能。许多云计算解决方案都依赖于互联网,但这只是网络基础设施的一部分。

Cloud networking refers to the networks and network management functionality that must be in place to enable cloud computing. Many cloud computing solutions rely on the Internet, but that is only a piece of the networking infrastructure.

 

云网络的一个例子是在提供商和订阅者之间配置高性能/高可靠性网络。在这种情况下,企业和云之间的部分或全部流量绕过互联网,并使用云服务提供商拥有或租赁的专用专用网络设施。更一般地说,云网络是指访问云所需的网络功能的集合,包括利用互联网上的专业服务、将企业数据中心连接到云、以及在关键点使用防火墙和其他网络安全设备来强制访问安全政策。

One example of cloud networking is the provisioning high-performance/high-reliability networking between the provider and subscriber. In this case, some or all of the traffic between an enterprise and the cloud bypasses the Internet and uses dedicated private network facilities owned or leased by the cloud service provider. More generally, cloud networking refers to the collection of network capabilities required to access a cloud, including making use of specialized services over the Internet, linking enterprise data centers to a cloud, and using firewalls and other network security devices at critical points to enforce access security policies.

 

云储存

Cloud Storage

 

我们可以将云存储视为云计算的一个子集。本质上,云存储由数据库存储和远程托管在云服务器上的数据库应用程序组成。云存储使小型企业和个人用户能够利用可根据其需求扩展的数据存储,并利用各种数据库应用程序,而无需购买、维护和管理存储资产。

We can think of cloud storage as a subset of cloud computing. In essence, cloud storage consists of database storage and database applications hosted remotely on cloud servers. Cloud storage enables small businesses and individual users to take advantage of data storage that scales with their needs and to take advantage of a variety of database applications without having to buy, maintain, and manage the storage assets.

 

1.7 物联网

1.7 Internet of Things

 

物联网(IoT)是长期持续的计算和通信革命的最新发展。它的规模、无处不在以及对日常生活、商业和政府的影响使之前的任何技术进步都相形见绌。本节简要概述了物联网,本书稍后将对此进行更详细的介绍。

The Internet of Things (IoT) is the latest development in the long and continuing revolution of computing and communications. Its size, ubiquity, and influence on everyday lives, business, and government dwarf any technical advance that has gone before. This section provides a brief overview of the IoT, which is dealt with in greater detail later in the book.

 

物联网上的事物

Things on the Internet of Things

 

物联网 (IoT)一词指的是智能设备(从家用电器到微型传感器)不断扩展的互连。一个主导主题是将短距离移动收发器嵌入到各种小工具和日常用品中,从而实现人与物之间以及物之间的新形式的通信。互联网现在通常通过云系统支持数十亿工业和个人物体的互连。对象传递传感器信息,对其环境采取行动,在某些情况下还可以自我修改,以创建对工厂或城市等更大系统的整体管理。

The Internet of Things (IoT) is a term that refers to the expanding interconnection of smart devices, ranging from appliances to tiny sensors. A dominant theme is the embedding of short-range mobile transceivers into a wide array of gadgets and everyday items, enabling new forms of communication between people and things, and between things themselves. The Internet now supports the interconnection of billions of industrial and personal objects, usually through cloud systems. The objects deliver sensor information, act on their environment, and in some cases modify themselves, to create overall management of a larger system, like a factory or city.

 

图像 请参阅第 14 章物联网

See Chapter 14, “The Internet of Things

 

物联网主要由深度嵌入式设备驱动。这些设备是低带宽、低重复数据捕获和低带宽数据使用设备,它们相互通信并通过用户界面提供数据。嵌入式设备,例如高分辨率视频安全摄像头、IP 视频 (VoIP) 电话以及其他一些设备,需要高带宽流媒体功能。然而无数的产品只需要间歇性地传送数据包。

The IoT is primarily driven by deeply embedded devices. These devices are low-bandwidth, low-repetition data-capture and low-bandwidth data-usage appliances that communicate with each other and provide data via user interfaces. Embedded appliances, such as high-resolution video security cameras, Video over IP (VoIP) phones, and a handful of others, require high-bandwidth streaming capabilities. Yet countless products simply require packets of data to be intermittently delivered.

 

进化

Evolution

 

从支持的终端系统来看,互联网大致经历了四代部署,最终形成了物联网:

With reference to the end systems supported, the Internet has gone through roughly four generations of deployment culminating in the IoT:

 

1.信息技术(IT): PC、服务器、路由器、防火墙等,企业IT人员购买的IT设备,主要使用有线连接。

1. Information technology (IT): PCs, servers, routers, firewalls, and so on, bought as IT devices by enterprise IT people, primarily using wired connectivity.

 

2. 运营技术(OT):由非 IT 公司制造的具有嵌入式 IT 的机器/设备,例如医疗机械、SCADA(监督控制和数据采集)、过程控制和信息亭,由企业 OT 人员作为设备购买,主要是使用有线连接。

2. Operational technology (OT): Machines/appliances with embedded IT built by non-IT companies, such as medical machinery, SCADA (supervisory control and data acquisition), process control, and kiosks, bought as appliances by enterprise OT people and primarily using wired connectivity.

 

3. 个人技术:智能手机、平板电脑和电子书阅读器作为 IT 设备由消费者(员工)购买,专门使用无线连接,并且通常是多种形式的无线连接。

3. Personal technology: Smartphones, tablets, and ebook readers bought as IT devices by consumers (employees) exclusively using wireless connectivity and often multiple forms of wireless connectivity.

 

4. 传感器/执行器技术:消费者、IT 和 OT 人员购买的单一用途设备,专门使用无线连接,通常采用单一形式,作为较大系统的一部分。

4. Sensor/actuator technology: Single-purpose devices bought by consumers, IT, and OT people exclusively using wireless connectivity, generally of a single form, as part of larger systems.

 

它是通常被认为是物联网的第四代,其特点是使用了数十亿个嵌入式设备。

It is the fourth generation that is usually thought of as the IoT, and which is marked by the use of billions of embedded devices.

 

物联网的层次

Layers of the Internet of Things

 

商业和技术文献通常关注物联网的两个要素——连接的“物”以及将它们互连的互联网。最好将物联网视为一个庞大的系统,它由五层组成:

Both the business and technical literature often focus on two elements of the Internet of Things—the “things” that are connected, and the Internet that interconnects them. It is better to view the IoT as a massive system, which consists of five layers:

 

图像 传感器和执行器:就是这些。传感器观察其环境并报告温度、湿度、某些可观察物体是否存在等变量的定量测量结果。执行器根据其环境进行操作,例如更改恒温器设置或操作阀门。

Sensors and actuators: These are the things. Sensors observe their environment and report back quantitative measurements of such variables as temperature, humidity, presence or absence of some observable, and so on. Actuators operate on their environment, such as changing a thermostat setting or operating a valve.

 

图像 连接性:设备可以通过无线或有线链路连接到网络,以将收集到的数据发送到适当的数据中心(传感器)或从控制器站点(执行器)接收操作命令。

Connectivity: A device may connect via either a wireless or wired link into a network to send collected data to the appropriate data center (sensor) or receive operational commands from a controller site (actuator).

 

图像 容量:支持设备的网络必须能够处理潜在的巨大数据流。

Capacity: The network supporting the devices must be able to handle a potentially huge flow of data.

 

图像 存储:需要有一个大型存储设施来存储和维护所有收集数据的备份。这通常是云功能。

Storage: There needs to be a large storage facility to store and maintain backups of all the collected data. This is typically a cloud capability.

 

图像 数据分析。对于大量设备,会生成“大数据”,需要数据分析能力来处理数据流。

Data analytics. For large collections of devices, “big data” is generated, requiring a data analytics capability to process the data flow.

 

所有这些层对于有效使用物联网概念都是至关重要的。

All of these layers are essential to an effective use of the IoT concept.

 

1.8 网络融合

1.8 Network Convergence

 

网络融合是指以前不同的电话和信息技术及市场的合并。您可以将这种融合视为企业通信的三层模型:

Network convergence refers to the merger of previously distinct telephony and information technologies and markets. You can think of this convergence in terms of a three-layer model of enterprise communications:

 

图像 应用程序融合:企业的最终用户可以看到这些。Convergence 将语音呼叫(电话)、语音邮件、电子邮件和即时消息等通信应用程序与工作组协作、客户关系管理和后台功能等业务应用程序集成在一起。通过融合,应用程序提供丰富的功能,以无缝、有组织和增值的方式整合语音、数据和视频。一个例子是多媒体消息传送,它使用户能够使用单一界面访问来自各种来源的消息(例如,办公室语音邮件、电子邮件、SMS 文本消息和移动语音邮件)。

Application convergence: These are seen by the end users of a business. Convergence integrates communications applications, such as voice calling (telephone), voice mail, e-mail, and instant messaging, with business applications, such as workgroup collaboration, customer relationship management, and back-office functions. With convergence, applications provide rich features that incorporate voice, data, and video in a seamless, organized, and value-added manner. One example is multimedia messaging, which enables a user to use a single interface to access messages from a variety of sources (for example, office voice mail, e-mail, SMS text messages, and mobile voice mail).

 

图像 企业服务:在这个级别,管理者根据必须可用的服务来处理信息网络,以确保用户可以充分利用他们使用的应用程序。例如,网络管理员需要确保适当的隐私机制和身份验证服务到位,以支持基于融合的应用程序。他们还可以跟踪用户位置,以支持移动工作人员的远程打印服务和网络存储设施。企业网络管理服务还可能包括为各种用户、组和应用程序建立协作环境以及提供 QoS。

Enterprise services: At this level, the manager deals with the information network in terms of the services that must be available to ensure that users can take full advantage of the applications that they use. For example, network managers need to make sure that appropriate privacy mechanisms and authentication services are in place to support convergence-based applications. They may also be able to track user locations to support remote print services and network storage facilities for mobile workers. Enterprise network management services may also include setting up collaborative environments for various users, groups, and applications and QoS provision.

 

图像 基础设施:网络和通信基础设施由企业可用的通信链路、LAN、WAN 和 Internet 连接组成。企业网络基础设施还越来越多地包括与托管大容量数据存储和 Web 服务的数据中心的私有/公共云连接。此级别融合的一个关键方面是能够通过最初设计用于承载数据流量的网络承载语音、图像和视频。专为语音流量设计的网络也发生了基础设施融合。例如,视频、图像、文本和数据通常通过手机网络传送给智能手机用户。

Infrastructure: The network and communications infrastructure consists of the communication links, LANs, WANs, and Internet connections available to the enterprise. Increasingly, enterprise network infrastructure also includes private/public cloud connections to data centers that host high-volume data storage and web services. A key aspect of convergence at this level is the ability to carry voice, image, and video over networks that were originally designed to carry data traffic. Infrastructure convergence has also occurred for networks that were designed for voice traffic. For example, video, image, text, and data are routinely delivered to smartphone users over cell phone networks.

 

图 1.8说明了企业通信三层模型的主要属性。简而言之,融合涉及将组织的语音、视频和图像流量转移到单一网络基础设施。这通常涉及将不同的语音和数据网络集成到单个网络基础设施中,并扩展基础设施以支持移动用户。这种融合的基础是使用互联网协议(IP)的基于数据包的传输。使用 IP 数据包传输各种通信流量(有时称为 IP 上的一切),使底层基础设施能够向业务用户提供各种有用的应用程序。

Figure 1.8 illustrates the major attributes of the three-layer model of enterprise communications. In simple terms, convergence involves moving an organization’s voice, video, and image traffic to a single network infrastructure. This often involves integrating distinct voice and data networks into a single network infrastructure and extending the infrastructure to support mobile users. The foundation of this convergence is packet-based transmission using the Internet Protocol (IP). Using IP packets to deliver all varieties of communications traffic, sometimes referred to as everything over IP, enables the underlying infrastructure to deliver a wide range of useful applications to business users.

 
图像

图 1.8业务驱动的融合

FIGURE 1.8 Business-Driven Convergence

 

融合带来了许多好处,包括简化网络管理、提高效率以及应用层面的更大灵活性。例如,融合网络基础设施提供了一个可预测的平台,可以在该平台上构建结合视频、数据和语音的新添加应用程序。这使得开发人员可以更轻松地创建创新的混搭和其他增值业务应用程序和服务。以下列表总结了 IP 网络融合的三个主要优势:

Convergence brings many benefits, including simplified network management, increased efficiency, and greater flexibility at the application level. For example, a converged network infrastructure provides a predictable platform on which to build new add applications that combine video, data, and voice. This makes it easier for developers to create innovative mash-ups and other value-added business applications and services. The following list summarizes three key benefits of IP network convergence:

 

图像 节省成本:融合网络可以显着降低网络管理、维护和运营成本两位数的百分比;将传统网络融合到单个 IP 网络上可以更好地利用现有资源,并实施集中容量规划、资产管理和策略管理。

Cost savings: A converged network can provide significant double-digit percent reductions in network administration, maintenance, and operating costs; converging legacy networks onto a single IP network enables better use of existing resources, and implementation of centralized capacity planning, asset management, and policy management.

 

图像 有效性:融合环境有潜力为用户提供极大的灵活性,无论他们身在何处。IP 融合使公司能够打造更具移动性的员工队伍。移动工作人员可以使用虚拟专用网络 (VPN) 远程访问公司网络上的业务应用程序和通信服务。VPN 通过将业务流量与其他 Internet 流量分开来帮助维护企业网络安全。

Effectiveness: The converged environment has the potential to provide users with great flexibility, irrespective of where they are. IP convergence allows companies to create a more mobile workforce. Mobile workers can use a virtual private network (VPN) to remotely access business applications and communication services on the corporate network. A VPN helps maintain enterprise network security by separating business traffic from other Internet traffic.

 

图像 转型:由于融合 IP 网络可修改且可互操作,因此可以轻松适应通过技术进步而推出的新功能和特性,而无需安装新的基础设施。融合还使企业能够采用全球标准和最佳实践,从而提供更好的数据、增强的实时决策以及改进关键业务流程和运营的执行。最终结果是增强敏捷性和创新,这是业务创新的关键要素。

Transformation: Because they are modifiable and interoperable, converged IP networks can easily adapt to new functions and features as they become available through technological advancements without having to install new infrastructure. Convergence also enables the enterprise-wide adoption of global standards and best practices, thus providing better data, enhanced real-time decision making, and improved execution of key business processes and operations. The end result is enhanced agility and innovation, the key ingredients of business innovation.

 

这些引人注目的商业利益正在激励公司投资融合网络基础设施。然而,企业敏锐地意识到融合的缺点:拥有单一网络意味着单点故障。鉴于对 ICT(信息和通信技术)的依赖,当今的融合企业网络基础设施通常包括冗余组件和备份系统,以提高网络弹性并减轻网络中断的严重程度。

These compelling business benefits are motivating companies to invest in converged network infrastructures. Businesses, however, are keenly aware of the downside of convergence: having a single network means a single point of failure. Given their reliance on ICT (information and communications technology), today’s converged enterprise network infrastructures typically include redundant components and back up systems to increase network resiliency and lessen the severity of network outages.

 

1.9 统一通信

1.9 Unified Communications

 

与网络融合相关的一个概念是统一通信(UC)。企业网络融合侧重于将传统上不同的语音、视频和数据通信网络整合到通用基础设施中,而统一通信则侧重于集成实时通信服务以优化业务流程。与融合企业网络一样,IP 是构建 UC 系统的基石。UC 的关键要素包括以下内容:

A concept related to network convergence is unified communications (UC). Whereas enterprise network convergence focuses on the consolidation of traditionally distinct voice, video, and data communications networks into a common infrastructure, UC focuses on the integration of real-time communication services to optimize business processes. As with converged enterprise networks, IP is the cornerstone on which UC systems are built. Key elements of UC include the following:

 

1. UC 系统通常提供统一的用户界面以及跨多种设备和媒体的一致用户体验。

1. UC systems typically provide a unified user interface and consistent user experience across multiple devices and media.

 

2.统一通信将实时通信服务与非实时服务和业务流程应用程序融合在一起。

2. UC merges real-time communications services with non-real-time services and business process applications.

 

图 1.9显示了 UC 架构的典型组件以及它们之间的相互关系。

Figure 1.9 shows the typical components of a UC architecture and how they relate to one another.

 
图像

图 1.9统一通信架构的元素

FIGURE 1.9 Elements of a Unified Communications Architecture

 

该架构的关键要素如下:

The key elements of this architecture are as follows:

 

图像 实时通信 (RTC) 仪表板: RTC 仪表板是 UC 架构的关键组件。该元素为 UC 用户提供跨通信设备的统一用户界面。理想情况下,无论用户当前使用什么通信设备,无论是手机、无线平板电脑、桌面系统还是连接到企业专用交换机 (PBX) 的办公电话,用户都拥有一致的界面。如图1.9所示,RTC 仪表板提供对实时通信服务的访问,例如即时消息、音频视频会议和交互式白板;RTC 仪表板还提供对非实时服务的访问,例如统一视图中的统一消息传递(电子邮件、语音邮件、传真和 SMS)。RTC 仪表板包括有关同事和合作伙伴的状态信息,以便用户可以即时了解哪些同事可以进行通信或加入协作通信会话。RTC 仪表板已成为需要高水平通信和协作来支持业务流程的组织的必需品。

Real-time communications (RTC) dashboard: An RTC dashboard is a key component of UC architecture. This is the element that provides UC users with a unified user interface across communication devices. Ideally, the user has a consistent interface no matter what communication device the user is currently using, whether it is a cell phone, wireless tablet computer, desktop system, or office telephone attached to the corporate private branch exchange (PBX). As you can see in Figure 1.9, RTC dashboards provide access to real-time communication services such as instant messaging, audio and video conferencing, and interactive whiteboards; RTC dashboards also provide access to non-real-time services such as unified messaging (e-mail, voice mail, fax, and SMS) in unified view. An RTC dashboard includes presence information about co-workers and partners so that users can know on the fly which colleagues are available to communicate or join a collaborative communication session. RTC dashboards have become necessities in organizations that require high levels of communication and collaboration to support business processes.

 

图像 网络会议:指的是现场会议或演示,参与者通过移动设备或网络(通过互联网或企业内部网)访问会议或演示。网络会议通常包括通过连接网络的交互式白板 (IWB) 进行数据共享。

Web conferencing: Refers to live meetings or presentations in which participants access the meeting or presentation via a mobile device or the web, either over the Internet, or corporate intranet. Web conferences often include data sharing through web-connected interactive white boards (IWBs).

 

图像 音频会议:也称为电话会议,是指将参与者链接在一起进行音频传输和接收的实时会议。参与者可以使用固定电话、移动电话或“软件电话”(配备麦克风和扬声器的计算机)。

Audio conferencing: Also called conference calling, refers to a live meeting in which participants are linked together for audio transmission and reception. A participant may be on a landline, mobile phone, or at a “softphone”—a computer equipped with microphone and speaker.

 

图像 统一消息传递:统一消息传递系统为来自多个源的消息提供了一个公共存储库。它允许用户从计算机、电话或移动设备检索保存的电子邮件、语音邮件和传真消息。计算机用户可以选择并播放出现在其统一消息收件箱中的语音邮件录音。电话用户既可以检索语音邮件,也可以听到电子邮件消息的文本到语音翻译。任何类型的消息都可以保存、应答、归档、排序和转发。统一消息系统将办公电话和手机收到的语音邮件消息保存到同一个邮箱,从而使企业用户无需监控多个语音邮箱。通过统一通信,用户可以随时使用任何设备从统一消息邮箱中检索电子邮件或语音邮件。

Unified messaging: Unified messaging systems provide a common repository for messages from multiple sources. It allows users to retrieve saved e-mail, voice mail, and fax messages from a computer, telephone, or mobile device. Computer users can select and play voice-mail recordings that appear in their unified messaging inboxes. Telephone users can both retrieve voice mail and hear text-to-voice translations of e-mail messages. Messages of any type can be saved, answered, filed, sorted, and forwarded. Unified messaging systems relieve business users from having to monitor multiple voice mailboxes by enabling voicemail messages received by both office phones and cell phones to be saved to the same mailbox. With UC, users can use any device at any time to retrieve e-mail or voice-mail from unified messaging mailboxes.

 

图像 即时消息 (IM):两个或多个参与者之间基于文本的实时消息传递。IM 类似于在线聊天,因为它基于文本并且实时双向交换。IM 与聊天的不同之处在于 IM 客户端使用联系人(或好友)列表来促进已知用户之间的联系,而在线聊天可以包括匿名用户之间基于文本的交换。

Instant messaging (IM): Real-time text-based messaging between two or more participants. IM is similar to online chat because it is text-based and exchanged bidirectionally in real time. IM is distinct from chat in that IM clients use contact (or buddy) lists to facilitate connections between known users, whereas online chat can include text-based exchanges between anonymous users.

 

图像 视频电话会议(VTC):视频会议允许两个或多个地点的用户通过双向视频和音频传输同时进行交互。统一通信系统使用户能够通过台式电脑、智能手机和移动设备参加视频会议。

Video teleconferencing (VTC): Videoconferencing allows users in two or more locations to interact simultaneously via two-way video and audio transmission. UC systems enable users to participate in video conferences via desktop computers, smartphones, and mobile devices.

 

图像 存在:实时确定某人在哪里、希望如何联系该人,甚至该人当前是什么的能力正在做。在同事尝试联系此人之前,状态信息会显示此人的空闲状态。它曾经被认为只是即时消息传递的一项基础技术(例如,“可以聊天”或“忙碌”),但现已扩展至包括同事当前是否在办公室或移动电话上、是否登录到计算机、是否参与在视频通话或会议中,或在办公室外吃午餐或度假时。出于多种业务原因(包括快速响应客户紧急情况的能力),同事的地理位置作为在线信息中的一个元素变得越来越常见。企业已经接受了状态信息,因为它有助于更​​高效和有效的沟通。

Presence: The capability to determine, in real time, where someone is, how that person prefers to be reached, and even what the person is currently doing. Presence information shows the individual’s availability state before co-workers attempt to contact them person. It was once considered simply an underlying technology to instant messaging (for example, “available to chat” or “busy”) but has been broadened to include whether co-workers are currently on office or mobile phones, logged in to a computer, involved in a video call or in a meeting, or out of the office for lunch or vacation. A co-worker’s geographic location is becoming more common as an element in presence information for a number of business reasons, including the capability to quickly respond to customer emergencies. Business has embraced presence information because it facilitates more efficient and effective communication. It helps eliminate inefficiencies associated with “phone tag” or composing and sending e-mails to someone who could more quickly answer a question over the phone or with a quick meeting.

 

图像 IP使能联络中心:是指利用基于IP的统一通信来增强客户联络中心的功能和性能。统一通信基础设施利用在线状态技术,使客户和企业内部员工能够快速连接到所需的专家或支持人员。此外,该技术支持移动性,因此呼叫中心人员无需位于特定办公室或留在特定地点。最后,统一通信基础设施使呼叫中心员工能够快速访问其他员工和信息资产,包括数据、视频、图像和音频。

IP enabling contact centers: Refers to the use of IP-based unified communications to enhance customer contact center functionality and performance. The unified communications infrastructure makes use of presence technology to enable customers and internal enterprise employees to be quickly connected to the required expert or support person. In addition, this technology supports mobility, so that call center personnel need not be located at a particular office or remain in a particular place. Finally, the UC infrastructure enables the call center employee to quickly access other employees and information assets, including data, video, image, and audio.

 

图像 IP/移动性:是指使用IP网络基础设施向通常处于移动状态的企业人员传送信息和收集信息。在典型的企业中,超过 30% 的员工在工作中每周使用某种形式的远程访问技术。

IP/mobility: Refers to the delivery of information to and collection of information from enterprise personnel who are usually mobile, using an IP network infrastructure. In a typical enterprise, upward of 30 percent of employees use some form of weekly remote access technology in the performance of their jobs.

 

图像 融合IP/无线基础设施:基于统一网络和通信的IP 数据包传输,支持语音、数据和视频传输,并可扩展以包括局域和广域无线通信。支持 UC 的移动设备能够在通信会话过程中在 Wi-Fi 和蜂窝系统之间切换。例如,UC 用户可以通过家里连接到 Wi-Fi 网络的智能手机接听同事的呼叫,在开车上班时通过蜂窝网络连接继续通话,并可以在连接到办公室时结束通话。企业的 Wi-Fi 网络。两种切换(家庭 Wi-Fi 到蜂窝网络以及蜂窝网络到办公室 Wi-Fi)都将无缝、透明地进行,而不会掉线。

Converged IP/wireless infrastructure: A unified networking and communications-based IP packet transfer to support voice, data, and video transmission and can be extended to include local- and wide-area wireless communications. UC-enabled mobile devices are able to switch between Wi-Fi and cellular systems in the middle of a communication session. For example, a UC user could receive a co-worker’s call via a smartphone connected to Wi-Fi network at home, continue the conversation while driving to work over a cellular network connection, and could end the call at the office while connected to the business’s Wi-Fi network. Both handoffs (home Wi-Fi to cellular and cellular to office Wi-Fi) would take place seamlessly and transparently without dropping the call.

 

统一通信的重要性不仅在于它集成了通信渠道,还在于它提供了一种集成通信功能和业务应用的方法。使用统一通信的组织通常可以实现三大类优势:

The importance of UC is not only that it integrates communication channels but also that it offers a way to integrate communication functions and business applications. Three major categories of benefits are typically realized by organizations that use UC:

 

图像 个人生产力提升:状态信息可帮助员工找到彼此并选择最有效的实时沟通方式。拨打多个号码来定位同事或检查多个与工作相关的语音邮箱所浪费的时间更少。来自 VIP 联系人的呼叫可以同时路由到 UC 用户的所有电话设备(办公电话、软件电话、智能手机、家庭电话),以确保更快地响应客户、合作伙伴和同事。借助移动状态信息功能,可以派遣地理位置最近的员工来解决问题。

Personal productivity gains: Presence information helps employees find each other and choose the most effective way to communicate in real time. Less time is wasted calling multiple numbers to locate co-workers or checking multiple worked-related voice mailboxes. Calls from VIP contacts can be routed simultaneously to all of a UC user’s phone devices (office phone, softphone, smartphone, home phone) to ensure faster responsiveness to customers, partners, and co-workers. With mobile presence information capabilities, employees who are geographically closest can be dispatched to address a problem.

 

图像 工作组绩效提升:统一通信系统支持团队成员之间的实时协作,这有助于提高工作组绩效。示例包括使用状态信息来加速识别具有工作团队解决问题所需的正确技能的可用人员。通过桌面 VTC 和交互式白板以及用于路由或升级通信的自动化业务规则增强的会议功能也有助于提高工作组性能。

Workgroup performance gains: UC systems support real-time collaboration among team members, which facilitates workgroup performance improvements. Examples include the use of presence information to speed identification of an available individual with the right skills a work team needs to address a problem. Enhanced conferencing capabilities with desktop VTC and interactive white boards and automated business rules to route or escalate communications also help to increase workgroup performance.

 

图像 企业级流程改进: IP融合使统一通信能够与企业级和部门级应用程序、业务流程和工作流程集成。支持统一通信的增强与客户、供应商和业务合作伙伴的通信正在重新定义客户关系管理 (CRM)、供应链管理 (SCM) 和其他企业范围应用程序的最佳实践,并正在改变业务网络成员之间的关系。支持通信的业务流程 (CEBP) 正在加剧多个行业的竞争,包括金融服务、医疗保健和零售。

Enterprise-level process improvements: IP convergence enables UC to be integrated with enterprise-wide and departmental-level applications, business processes, and workflows. UC-enabled enhanced communications with customers, suppliers, and business partners are redefining best practices for customer relationship management (CRM), supply chain management (SCM), and other enterprise-wide applications and are transforming relationships among members of business networks. Communication-enabled business processes (CEBP) are fueling competition in several industries, including financial services, healthcare, and retail.

 

1.10 关键术语

1.10 Key Terms

 

完成本章后,您应该能够定义以下术语。

After completing this chapter, you should be able to define the following terms.

 

3G

3G

 

4G

4G

 

5G

5G

 

接入网络

access network

 

汇聚路由器

aggregation router

 

应用程序提供商

application provider

 

应用服务提供商

application service provider

 

骨干网络

backbone network

 

刀片服务器

blade server

 

云计算

cloud computing

 

云网络

cloud networking

 

云储存

cloud storage

 

内容提供商

content provider

 

核心网

core network

 

核心路由器

core router

 

分销渠道

distribution network

 

边缘路由器

edge router

 

终端用户

end users

 

IEEE 802.3

IEEE 802.3

 

IEEE 802.11

IEEE 802.11

 

物联网 (IoT)

Internet of Things (IoT)

 

以太网

Ethernet

 

网络融合

network convergence

 

网络提供商

network provider

 

凝视

peering

 

以太网供电 (PoE)

Power over Ethernet (PoE)

 

电力线载波 (PLC)

powerline carrier (PLC)

 

架顶 (ToR) 交换机

top-of-rack (ToR) switch

 

统一通信

unified communications

 

无线上网

Wi-Fi

 

1.11 参考文献

1.11 References

 

XI11 Xi,H。“光传输网络中核心节点和聚合节点的带宽需求”。IEEE 802.3 行业连接以太网带宽评估会议,2011 年 11 月 8 日。 http://www.ieee802.org/3/ad_hoc/bwa/public/nov11/index_1108.html

XI11: Xi, H. “Bandwidth Needs in Core and Aggregation Nodes in the Optical Transport Network.” IEEE 802.3 Industry Connections Ethernet Bandwidth Assessment Meeting, November 8, 2011. http://www.ieee802.org/3/ad_hoc/bwa/public/nov11/index_1108.html

 

第 2 章要求和技术

Chapter 2. Requirements and Technology

 

网络将使许多简单而重要的经济成为可能。将会出现失控、对不断变化的需求缺乏响应能力以及优先级冲突等问题;但其中许多问题已经在相当程度上得到解决。

Networks will make possible many straightforward and significant economies. There will be problems such as loss of control, a potential lack of responsiveness to changing needs, and priority conflicts; but many of these problems have already been solved to a considerable degree.

 

什么可以自动化?

计算机科学与工程研究,国家科学基金会,1980

What Can Be Automated?

The Computer Science and Engineering Research Study, National Science Foundation, 1980

 

本章目标 学习完本章后,您应该能够

 

图像概述互联网和互联网上数据包流量的主要类别,包括弹性流量、非弹性流量和实时流量。

 

图像讨论大数据、云计算和移动流量对当代网络的流量需求。

 

图像解释服务质量的概念。

 

图像解释体验质量的概念。

 

图像了解路由的基本要素。

 

图像了解拥塞的影响以及用于拥塞控制的技术类型。

 

图像比较和对比软件定义网络和网络功能虚拟化。

 

Chapter Objectives: After studying this chapter, you should be able to

 

Present an overview of the major categories of packet traffic on the Internet and internets, including elastic, inelastic, and real-time traffic.

 

Discuss the traffic demands placed on contemporary networks by big data, cloud computing, and mobile traffic.

 

Explain the concept of quality of service.

 

Explain the concept of quality of experience.

 

Understand the essential elements of routing.

 

Understand the effects of congestion and the types of techniques used for congestion control.

 

Compare and contrast software-defined networking and network functions virtualization.

 
 

第一章现代网络的要素”对构成网络生态系统的要素进行了调查,包括网络技术、网络架构、服务和应用程序。本章以简洁的方式提供了动机、技术背景以及本书所涵盖的关键主题的概述。

Chapter 1, “Elements of Modern Networking,” provided a survey of the elements that make up the networking ecosystem, including network technologies, network architecture, services, and applications. In a concise fashion, this chapter provides motivation, technical background, and an overview of the key topics covered in this book.

 

2.1 网络和互联网流量的类型

2.1 Types of Network and Internet Traffic

 

互联网和企业网络上的流量可以分为两大类:弹性流量和非弹性流量。考虑到它们的不同需求,明确了对增强网络架构的需求。

Traffic on the Internet and enterprise networks can be divided into two broad categories: elastic and inelastic. A consideration of their differing requirements clarifies the need for an enhanced networking architecture.

 

弹性流量

Elastic Traffic

 

弹性流量是指可以在大范围内根据互联网上的延迟和吞吐量的变化进行调整的流量并且仍然满足其应用的需求。这是基于 TCP/IP 的互联网支持的传统流量类型,也是互联网设计的流量类型。生成此类流量的应用程序通常使用传输控制协议 (TCP) 或用户数据报协议 (UDP) 作为传输协议。对于 UDP,应用程序将使用尽可能多的可用容量,直至应用程序生成数据的速率。对于 TCP,应用程序将使用尽可能多的可用容量,直至端到端接收器可以接受数据的最大速率。此外,对于 TCP,各个连接上的流量会通过降低向网络提供数据的速率来适应拥塞。

Elastic traffic is that which can adjust, over wide ranges, to changes in delay and throughput across an internet and still meet the needs of its applications. This is the traditional type of traffic supported on TCP/IP-based internets and is the type of traffic for which internets were designed. Applications that generate such traffic typically use Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) as a transport protocol. In the case of UDP, the application will use as much capacity as is available up to the rate that the application generates data. In the case of TCP, the application will use as much capacity as is available up to the maximum rate that the end-to-end receiver can accept data. Also with TCP, traffic on individual connections adjusts to congestion by reducing the rate at which data are presented to the network.

 

可归类为弹性的应用程序包括通过 TCP 或 UDP 运行的常见应用程序,包括文件传输(文件传输协议/安全 FTP [FTP/SFTP])、电子邮件(简单邮件传输协议 [SMTP])、远程登录( Telnet、Secure Shell [SSH])、网络管理(简单网络管理协议 [SNMP])和 Web 访问(超文本传输​​协议/HTTP 安全 [HTTP/HTTPS])。然而,这些应用程序的要求之间存在差异,包括:

Applications that can be classified as elastic include the common applications that operate over TCP or UDP, including file transfer (File Transfer Protocol / Secure FTP [FTP/SFTP]), electronic mail (Simple Mail Transport Protocol [SMTP]), remote login (Telnet, Secure Shell [SSH]), network management (Simple Network Management Protocol [SNMP]), and web access (Hypertext Transfer Protocol / HTTP Secure [HTTP/HTTPS]). However, there are differences among the requirements of these applications, including the following:

 

图像电子邮件通常对延迟的变化不敏感。

E-mail is generally insensitive to changes in delay.

 

图像当文件传输通过用户命令而不是作为自动后台任务完成时,用户期望延迟与文件大小成正比,因此对吞吐量的变化很敏感。

When file transfer is done via user command rather than as an automated background task, the user expects the delay to be proportional to the file size and so is sensitive to changes in throughput.

 

图像对于网络管理,延迟通常不是一个严重的问题。然而,如果互联网中的故障是拥塞的原因,那么随着拥塞的增加,SNMP 消息以最小延迟通过的需求也会增加。

With network management, delay is generally not a serious concern. However, if failures in an internet are the cause of congestion, then the need for SNMP messages to get through with minimum delay increases with increased congestion.

 

图像交互式应用程序(例如远程登录和 Web 访问)对延迟很敏感。

Interactive applications, such as remote logon and web access, are sensitive to delay.

 

重要的是要认识到,我们感兴趣的数量并不是每个数据包的延迟。对互联网上实际延迟的观察表明,延迟不会出现很大的变化。由于 TCP 中的拥塞控制机制,当拥塞发生时,在各个 TCP 的到达率之前,延迟只会适度增加。连接速度变慢。相反,用户感知的服务质量 (QoS) 与传输当前应用程序元素所用的总时间有关。对于基于 Telnet 的交互式应用程序,该元素可以是单个击键或单行。对于 Web 访问,该元素是一个网页,它可能只有几千字节,或者对于图像丰富的页面来说可能要大得多。对于科学应用,该元素可能是数兆字节的数据。

It is important to realize that it is not per-packet delay that is the quantity of interest. Observation of real delays across the Internet suggest that wide variations in delay do not occur. Because of the congestion control mechanisms in TCP, when congestion develops, delays only increase modestly before the arrival rate from the various TCP connections slow down. Instead, the quality of service (QoS) perceived by the user relates to the total elapsed time to transfer an element of the current application. For an interactive Telnet-based application, the element may be a single keystroke or single line. For web access, the element is a web page, which could be as little as a few kilobytes or could be substantially larger for an image-rich page. For a scientific application, the element could be many megabytes of data.

 

对于非常小的元素,总运行时间主要由互联网上的延迟时间决定。然而,对于较大的元素,总消耗时间由 TCP 的滑动窗口性能决定,因此由通过 TCP 连接实现的吞吐量决定。因此,对于大型传输,传输时间与文件的大小以及源由于拥塞而减慢的程度成正比。

For very small elements, the total elapsed time is dominated by the delay time across the Internet. However, for larger elements, the total elapsed time is dictated by the sliding-window performance of TCP and is therefore dominated by the throughput achieved over the TCP connection. Thus, for large transfers, the transfer time is proportional to the size of the file and the degree to which the source slows because of congestion.

 

应该清楚的是,即使您将注意力集中在弹性流量上,某些优先级和控制流量的服务也可能会有所帮助。如果没有这样的服务,路由器就会公平地处理到达的 IP 数据包,而不关心应用程序的类型以及特定数据包是大型传输元件还是小型传输元件的一部分。在这种情况下,如果发生拥塞,则不太可能以公平地满足所有应用程序的需求的方式分配资源。当缺乏弹性的流量加入其中时,结果甚至更不令人满意。

It should be clear that even if you confine your attention to elastic traffic, some service prioritizing and controlling traffic could be of benefit. Without such a service, routers are dealing evenhandedly with arriving IP packets, with no concern for the type of application and whether a particular packet is part of a large transfer element or a small one. Under such circumstances, and if congestion develops, it is unlikely that resources will be allocated in such a way as to meet the needs of all applications fairly. When inelastic traffic is added to the mix, the results are even more unsatisfactory.

 

缺乏弹性的交通

Inelastic Traffic

 

非弹性流量很难适应互联网上延迟和吞吐量的变化(如果有的话)。非弹性流量的示例包括多媒体传输(例如语音和视频)和大容量交互式流量(例如交互式模拟应用程序(例如航空公司飞行员模拟))。非弹性流量的要求可能包括以下内容:

Inelastic traffic does not easily adapt, if at all, to changes in delay and throughput across an internet. Examples of inelastic traffic include multimedia transmission, such as voice and video, and high-volume interactive traffic, such as an interactive simulation application (for example, airline pilot simulation). The requirements for inelastic traffic may include the following:

 

图像 吞吐量:可能需要最小吞吐量值。大多数弹性流量可以继续传输数据,但服务可能会下降,与此不同的是,许多非弹性应用程序绝对需要给定的最小吞吐量。

Throughput: A minimum throughput value may be required. Unlike most elastic traffic, which can continue to deliver data with perhaps degraded service, many inelastic applications absolutely require a given minimum throughput.

 

图像 延迟:也称为延迟。对延迟敏感的应用程序的一个例子是股票交易;始终接受较晚服务的人将始终较晚采取行动,并且处于更大的劣势。

Delay: Also called latency. An example of a delay-sensitive application is stock trading; someone who consistently receives later service will consistently act later, and with greater disadvantage.

 

图像 延迟抖动:延迟变化的幅度,称为延迟抖动,或简称抖动,是实时应用中的一个关键因素。由于互联网施加的可变延迟,数据包之间的到达间隔时间在目的地不会保持在固定间隔。为了补偿这一点,传入的数据包被缓冲,充分延迟以补偿抖动,然后以恒定速率发布到期望稳定实时流的软件。允许的延迟变化越大,传送数据的实际延迟就越长,并且接收器所需的延迟缓冲器的大小就越大。实时交互式应用程序(例如电话会议)可能需要合理的抖动上限。

Delay jitter: The magnitude of delay variation, called delay jitter, or simply jitter, is a critical factor in real-time applications. Because of the variable delay imposed by an internet, the interarrival times between packets are not maintained at a fixed interval at the destination. To compensate for this, the incoming packets are buffered, delayed sufficiently to compensate for the jitter, and then released at a constant rate to the software that is expecting a steady real-time stream. The larger the allowable delay variation, the longer the real delay in delivering the data and the greater the size of the delay buffer required at receivers. Real-time interactive applications, such as teleconferencing, may require a reasonable upper bound on jitter.

 

图像 数据包丢失:实时应用程序可以承受的数据包丢失量(如果有)各不相同。

Packet loss: Real-time applications vary in the amount of packet loss, if any, that they can sustain.

 

表 2.1显示了各种流量类别的丢失、延迟和抖动特性,如 RFC 4594(DiffServ 服务类别配置指南,2006 年 8 月)中所指定。表 2.2给出了各种面向媒体的应用程序的 QoS 要求示例 [ SZIG14 ]。

Table 2.1 shows the loss, delay, and jitter characteristics of various classes of traffic, as specified in RFC 4594 (Configuration Guidelines for DiffServ Service Classes, August 2006). Table 2.2 gives examples of QoS requirements for various media-oriented applications [SZIG14].

 
图像
图像

表 2.1服务类别特征

Table 2.1 Service Class Characteristics

 
图像

表 2.2按应用类别划分的 QoS 要求

Table 2.2 QoS Requirements by Application Class

 

在具有可变的排队延迟和拥塞损失的环境中,这些要求很难满足。因此,非弹性流量给互联网架构带来了两个新的要求。首先,需要采取一些手段,对要求更高的应用给予优惠。应用程序需要能够在某种服务请求功能中提前或通过 IP 数据包标头中的字段即时声明其需求。前一种方法在陈述需求方面提供了更大的灵活性,并且它使网络预测需求并在所需资源不可用时拒绝新请求。这种方法意味着使用某种资源预留协议。

These requirements are difficult to meet in an environment with variable queuing delays and congestion losses. Accordingly, inelastic traffic introduces two new requirements into the internet architecture. First, some means is needed to give preferential treatment to applications with more demanding requirements. Applications need to be able to state their requirements, either ahead of time in some sort of service request function, or on the fly, by means of fields in the IP packet header. The former approach provides more flexibility in stating requirements, and it enables the network to anticipate demands and deny new requests if the required resources are unavailable. This approach implies the use of some sort of resource reservation protocol.

 

在互联网架构中支持非弹性流量的另一个要求是仍然必须支持弹性流量。与基于 TCP 的应用程序相比,缺乏弹性的应用程序在遇到拥塞时通常不会退缩并减少需求。因此,在拥塞时期,非弹性流量将继续提供高负载,而弹性流量将被挤出互联网。预留协议可以通过拒绝服务请求来帮助控制这种情况,因为服务请求会留下太少的资源来处理当前的弹性流量。

An additional requirement in supporting inelastic traffic in an internet architecture is that elastic traffic must still be supported. Inelastic applications typically do not back off and reduce demand in the face of congestion, in contrast to TCP-based applications. Therefore, in times of congestion, inelastic traffic will continue to supply a high load, and elastic traffic will be crowded off the internet. A reservation protocol can help control this situation by denying service requests that would leave too few resources available to handle current elastic traffic.

 

实时交通特征

Real-Time Traffic Characteristics

 

如前所述,非弹性流量的一个常见示例是实时 流量。对于传统的弹性应用程序,例如文件传输、电子邮件和客户端/服务器应用程序(包括 Web),感兴趣的性能指标通常是吞吐量和延迟。还有一个关于可靠性的问题,需要使用机制来确保数据在传输过程中不会丢失、损坏或顺序错误。相比之下,实时应用程序关心时序问题和数据包丢失。在大多数情况下,需要以等于发送速率的恒定速率传送数据。在其他情况下,期限与每个数据块相关联,使得数据在期限到期后不可用。

As mentioned, a common example of inelastic traffic is real-time traffic. With traditional elastic applications, such as file transfer, electronic mail, and client/server applications including the web, the performance metrics of interest are generally throughput and delay. There is also a concern with reliability, and mechanisms are used to make sure that no data are lost, corrupted, or misordered during transit. By contrast, real-time applications are concerned with timing issues as well as packet loss. In most cases, there is a requirement that data be delivered at a constant rate equal to the sending rate. In other cases, a deadline is associated with each block of data, such that the data are not usable after the deadline has expired.

 

图 2.1展示了一个典型的实时环境。此处,服务器生成以 64 kbps 传输的音频。数字化音频以包含 160 个八位位组数据的数据包形式传输,因此每 20 毫秒发出一个数据包。这些数据包通过互联网传递到多媒体 PC,多媒体 PC 在音频到达时实时播放音频。然而,由于互联网施加的可变延迟,数据包之间的到达间隔时间在目的地并不能维持在固定的 20 毫秒。为了弥补这一点,传入的数据包会被缓冲,稍微延迟,然后以恒定的速率释放到生成音频的软件。缓冲区可以位于目标机器内部或外部网络设备中。

Figure 2.1 illustrates a typical real-time environment. Here, a server is generating audio to be transmitted at 64 kbps. The digitized audio is transmitted in packets containing 160 octets of data, so that one packet is issued every 20 ms. These packets are passed through an internet and delivered to a multimedia PC, which plays the audio in real time as it arrives. However, because of the variable delay imposed by the internet, the interarrival times between packets are not maintained at a fixed 20 ms at the destination. To compensate for this, the incoming packets are buffered, delayed slightly, and then released at a constant rate to the software that generates the audio. The buffer may be internal to the destination machine or in an external network device.

 
图像

图 2.1实时交通

FIGURE 2.1 Real-Time Traffic

 

延迟缓冲器提供的补偿是有限的。例如,如果任何数据包看到的最小端到端延迟为 1 ms,最大延迟为 6 ms,则延迟抖动为 5 ms。只要时间延迟缓冲器将传入数据包延迟至少 5 毫秒,缓冲器的输出将包括所有传入数据包。然而,如果缓冲区仅将数据包延迟 4 毫秒,则任何经历了超过 4 毫秒(绝对延迟超过 5 毫秒)的相对延迟的传入数据包都必须被丢弃,以免在播放时无法播放。命令。

The compensation provided by the delay buffer is limited. For example, if the minimum end-to-end delay seen by any packet is 1 ms and the maximum is 6 ms, the delay jitter is 5 ms. As long as the time delay buffer delays incoming packets by at least 5 ms, the output of the buffer will include all incoming packets. However, if the buffer delayed packets by only 4 ms, any incoming packets that had experienced a relative delay of more than 4 ms (an absolute delay of more than 5 ms) would have to be discarded so as not to be played back out of order.

 

到目前为止,实时流量的描述意味着以恒定速率生成一系列大小相等的数据包。这并不总是流量的概况。图 2.2说明了一些常见的可能性,如下面的列表中所述。

The description of real-time traffic so far implies a series of equal-size packets generated at a constant rate. This is not always the profile of the traffic. Figure 2.2 illustrates some of the common possibilities, as described in the list that follows.

 
图像

图 2.2实时数据包传输

FIGURE 2.2 Real-Time Packet Transmission

 

图像 连续数据源:固定大小的数据包以固定的时间间隔生成。这体现了应用程序不断生成数据、几乎没有冗余、并且太重要而无法以有损方式压缩的情况。例如空中交通管制雷达和实时模拟。

Continuous data source: Fixed-size packets are generated at fixed intervals. This characterizes applications that are constantly generating data, have few redundancies, and that are too important to compress in a lossy way. Examples are air traffic control radar and real-time simulations.

 

图像 开/关源:源在以固定时间间隔生成固定大小数据包的时段和不活动时段之间交替。语音源(例如电话或音频会议中的语音源)适合此配置文件。

On/off source: The source alternates between periods when fixed-size packets are generated at fixed intervals and periods of inactivity. A voice source, such as in telephony or audio conferencing, fits this profile.

 

图像 可变数据包大小:源以均匀的间隔生成可变长度的数据包。一个例子是数字化视频,其中对于相同的输出质量水平,不同的帧可能经历不同的压缩比。

Variable packet size: The source generates variable-length packets at uniform intervals. An example is digitized video in which different frames may experience different compression ratios for the same output quality level.

 

2.2 需求:大数据、云计算、移动流量

2.2 Demand: Big Data, Cloud Computing, and Mobile Traffic

 

查看了 Internet 和其他基于 IP 的网络的流量类型后,请考虑对网络资源和管理产生最大压力的应用程序领域。三个突出领域:大数据、云计算和移动性。所有这些领域都表明需要使用软件定义网络 (SDN) 和网络功能虚拟化 (NFV) 等强大工具进行网络运营和管理,并使用全面的 QoS 和体验质量 (QoE) 系统来有效交付基于 IP 的网络上的服务。

Having looked at the types of traffic presented to the Internet and other IP-based networks, consider the application areas that are generating the greatest stress on network resources and management. Three areas stand out: big data, cloud computing, and mobility. All of these areas suggest the need for using powerful tools such as software-defined networking (SDN) and network functions virtualization (NFV) for network operation and management, and for using comprehensive QoS and quality of experience (QoE) systems for effective delivery of services over IP-based networks.

 

大数据

Big Data

 

简单来说,大数据指的是使组织能够创建、操作和管理非常大的数据集(以 TB、PB、EB 等为单位)的一切以及存储这些数据的设施。分布式数据中心、数据仓库和基于云的存储是当今企业网络的常见方面。许多因素促成了“大数据”和商业网络的融合,包括存储成本的持续下降、数据挖掘和商业智能(BI)工具的成熟,以及导致组织大量存储的政府法规和法院案件结构化和非结构化数据,包括文档、电子邮件、语音邮件、文本消息和社交媒体数据。其他正在捕获、传输的数据源,存储的内容包括网络日志、互联网文档、互联网搜索索引、通话详细记录、科学研究数据和结果、军事监视、医疗记录、视频档案和电子商务交易。

In simple terms, big data refers to everything that enables an organization to create, manipulate, and manage very large data sets (measured in terabytes, petabytes, exabytes, and so on) and the facilities in which these are stored. Distributed data centers, data warehouses, and cloud-based storage are common aspects of today’s enterprise networks. Many factors have contributed to the merging of “big data” and business networks, including continuing declines in storage costs, the maturation of data mining and business intelligence (BI) tools, and government regulations and court cases that have caused organizations to stockpile large masses of structured and unstructured data, including documents, e-mail messages, voice-mail messages, text messages, and social media data. Other data sources being captured, transmitted, and stored include web logs, Internet documents, Internet search indexing, call detail records, scientific research data and results, military surveillance, medical records, video archives, and e-commerce transactions.

 

随着远程传​​感器、移动设备、摄像头、麦克风、射频识别 (RFID) 读取器和类似技术收集的数据越来越多,数据集不断增长。几年前的一项研究估计,每天会创建2.5 艾字节(2.5 × 10 18字节)的数据,世界上 90% 的数据是在过去两年中创建的 [ IBM11 ]。今天这些数字可能会更高。

Data sets continue to grow with more and more being gathered by remote sensors, mobile devices, cameras, microphones, radio frequency identification (RFID) readers, and similar technologies. One study from a few years ago estimated that 2.5 exabytes (2.5 × 1018 bytes) of data are created each day, and 90 percent of the data in the world was created in the past two years [IBM11]. Those numbers are likely higher today.

 
大数据基础设施注意事项
 

传统的业务数据存储和管理技术包括关系数据库管理系统 (RDBMS)、网络附加存储 (NAS)、存储区域网络 (SAN)、数据仓库 (DW) 和商业智能 (BI) 分析。

Traditional business data storage and management technologies include relational database management systems (RDBMS), network-attached storage (NAS), storage-area networks (SANs), data warehouses (DWs), and business intelligence (BI) analytics.

 

传统的数据仓库和 BI 分析系统往往高度集中于企业基础设施内。这些通常包括带有 RDBMS 的中央数据存储库、高性能存储和分析软件,例如用于挖掘和可视化数据的在线分析处理 (OLAP) 工具。

Traditional data warehouse and BI analytics systems tend to be highly centralized within an enterprise infrastructure. These often include a central data repository with a RDBMS, high-performance storage, and analytics software, such as online analytical processing (OLAP) tools for mining and visualizing data.

 

大数据应用程序日益成为企业竞争价值的来源,特别是那些渴望构建数据产品和服务以从捕获和存储的大量数据中获利的企业。种种迹象表明,随着越来越多的企业从大数据应用中获益,数据的利用在未来几年对企业将变得越来越重要。

Increasingly, big data applications are becoming a source of competitive value for businesses, especially those that aspire to build data products and services to profit from the huge volumes of data that they capture and store. There is every indication that the exploitation of data will become increasingly important to enterprises in the years ahead as more and more businesses reap the benefits of big data applications.

 
大数据网络示例
 

为了了解典型大数据系统的网络要求,请考虑图 2.3中的示例生态系统(与第 1 章中的图 1.1相比)。

To get some feel for the networking requirements for a typical big data system, consider the example ecosystem of Figure 2.3 (compared to Figure 1.1 from Chapter 1).

 
图像

图 2.3大数据网络生态系统

FIGURE 2.3 Big Data Networking Ecosystem

 

企业内部的关键要素包括以下内容:

Key elements within the enterprise include the following:

 

图像 数据仓库:数据仓库保存来自多个数据源的集成数据,用于报告和数据分析。

Data warehouse: The DW holds integrated data from multiple data sources, used for reporting and data analysis.

 

图像 数据管理服务器:大量服务器提供与大数据相关的多种功能。服务器运行数据分析应用程序,例如数据集成工具和分析工具。其他应用程序集成并构建来自企业活动的数据,例如财务数据、销售点数据和电子商务活动。

Data management servers: Large banks of servers serve multiple functions with respect to big data. The servers run data analysis applications, such as data integration tools and analytics tools. Other applications integrate and structure data from enterprise activity, such as financial data, point-of-sale data, and e-commerce activity.

 

图像 工作站/数据处理系统:涉及使用大数据应用程序和生成大数据仓库输入的其他系统。

Workstations / data processing systems: Other systems involved in the use of big data applications and in the generation of input to big data warehouses.

 

图像 网络管理服务器:一台或多台负责网络管理、控制和监视的服务器。

Network management server: One or more servers responsible for network management, control, and monitoring.

 

图 2.3中未显示其他重要的网络设备,包括防火墙、入侵检测/预防系统 (IDS/IPS)、LAN 交换机和路由器。

Not shown in Figure 2.3 are other important network devices, including firewalls, intrusion detection/prevention systems (IDS/IPS), LAN switches, and routers.

 

企业网络可以涉及分布在区域、全国或全球的多个站点。此外,根据大数据系统的性质,企业可以从其他企业服务器、分散的传感器和其他设备接收数据在物联网中,除了来自内容交付网络的多媒体内容。

The enterprise network can involve multiple sites distributed regionally, nationally, or globally. In addition, depending on the nature of the big data system, an enterprise can receive data from other enterprise servers, from dispersed sensors and other devices in an Internet of Things, in addition to multimedia content from content delivery networks.

 

大数据的网络环境非常复杂。大数据对企业网络基础设施的影响由所谓的三个V驱动:

The networking environment for big data is complex. The impact of big data on an enterprise’s networking infrastructure is driven by the so-called three V’s:

 

图像数量(不断增长的数据量)

Volume (growing amounts of data)

 

图像速度(提高存储和读取数据的速度)

Velocity (increasing speed in storing and reading data)

 

图像可变性(数据类型和来源数量不断增加)

Variability (growing number of data types and sources)

 

根据 Network World 2014 白皮书,值得关注的领域包括以下 [ NETW14 ]:

Based on a Network World 2014 white paper, areas of concern include the following [NETW14]:

 

图像 网络容量:运行大数据分析本身需要大量容量;当大数据和日常应用程序流量通过企业网络结合在一起时,这个问题就会被放大。

Network capacity: Running big data analytics requires a lot of capacity on its own; the issue is magnified when big data and day-to-day application traffic are combined over an enterprise network.

 

图像 延迟:大数据的实时或近实时性质要求网络架构具有一致的低延迟,以实现最佳性能。

Latency: The real or near-real-time nature of big data demands a network architecture with consistent low latency to achieve optimal performance.

 

图像 存储容量:需要大量高度可扩展的存储来满足大数据的无限需求,但这些资源必须足够灵活,能够处理许多不同的数据格式和流量负载。

Storage capacity: Massive amounts of highly scalable storage are required to address the insatiable appetite of big data, yet these resources must be flexible enough to handle many different data formats and traffic loads.

 

图像 处理:大数据会给计算、内存和存储系统带来巨大压力,如果处理不当,可能会对运营效率产生负面影响。

Processing: Big data can add significant pressure on computational, memory, and storage systems, which, if not properly addressed, can negatively impact operational efficiency.

 

图像 安全数据访问:大数据项目结合了来自许多来源的敏感信息,例如客户交易、GPS 坐标、视频流等,必须保护这些信息免受未经授权的访问。

Secure data access: Big data projects combine sensitive information from many sources like customer transactions, GPS coordinates, video streams, and so on, which must be protected from unauthorized access.

 

云计算

Cloud Computing

 

与大数据安装一样,云计算对网络流量的有效和高效流动提出了挑战。在这方面,考虑 ITU-T 开发的云网络模型将很有帮助,如图2.4 [ ITUT12 ]所示。该图表明了云网络和服务提供商以及云服务用户的网络关注范围。

As with big data installations, cloud computing presents imposing challenges for effective and efficient flow of traffic through networks. It will be helpful in this regard to consider the cloud network model developed by ITU-T, and shown in Figure 2.4 [ITUT12]. This figure indicates the scope of network concerns for cloud network and service providers and for cloud service users.

 
图像

图 2.4云网络模型

FIGURE 2.4 Cloud Network Model

 

云服务提供商维护一个或多个本地或区域云基础设施。云内网络连接基础设施的各个元素,包括数据库服务器、存储阵列和其他服务器(例如防火墙、负载均衡器、应用程序加速设备和 IDS/IPS)。云内网络可能包括许多与 IP 路由器互连的 LAN。在基础设施内,数据库服务器被组织为虚拟机集群,为不同用户提供虚拟化、隔离的计算环境。

A cloud service provider maintains one or more local or regional cloud infrastructures. An intracloud network connects the elements of the infrastructure, including database servers, storage arrays, and other servers (for example, firewalls, load balancers, application acceleration devices, and IDS/IPS). The intracloud network will likely include a number of LANs interconnected with IP routers. Within the infrastructure, database servers are organized as a cluster of virtual machines, providing virtualized, isolated computing environments for different users.

 

图像 请参阅第 7 章网络功能虚拟化:概念和架构

See Chapter 7, “Network Functions Virtualization: Concepts and Architecture

 

云间网络将云基础设施互连在一起。这些云基础设施可能属于同一云提供商或不同的云提供商。最后,客户使用核心传输网络来访问和使用云提供商数据中心内部署的云服务。

Intercloud networks interconnect cloud infrastructures together. These cloud infrastructures may be owned by the same cloud provider or by different ones. Finally, a core transport network is used by customers to access and consume cloud services deployed within the cloud provider’s data center.

 

图 2.4还描述了两类运营支持系统 (OSS)

Also depicted in Figure 2.4 are two categories of operations support system (OSS):

 

图像 网络OSS:传统的OSS是专门为电信服务提供商提供的系统。网络OSS支持的流程包括网络库存的服务管理和维护、特定网络组件的配置以及故障管理。

Network OSS: The traditional OSS is a system dedicated to providers of telecommunication services. The processes supported by a network OSS include service management and maintenance of the network inventory, configuration of particular network components, and fault management.

 

图像 云OSS:云基础设施的OSS是专门为云计算服务提供商提供的系统。云OSS支持云资源的维护、监控和配置流程。

Cloud OSS: OSS of cloud infrastructure is the system dedicated to providers of cloud computing services. Cloud OSS supports processes for the maintenance, monitoring, and configuration of cloud resources.

 

这三个网络组件(云内、云间、核心)与OSS组件一起构成了云服务组合和交付的基础。ITU-T 云计算焦点组技术报告 [ ITUT12 ] 列出了此网络功能的以下功能要求:

These three network components (intracloud, intercloud, core), together with the OSS components, are the foundation of cloud services composition and delivery. The ITU-T Focus Group on Cloud Computing Technical Report [ITUT12] lists the following functional requirements for this network capability:

 

图像 可扩展性:网络必须能够轻松扩展,以满足从当前数百或数千台服务器的云基础设施迁移到数万甚至数十万台服务器的网络的需求。这种扩展在寻址、路由和拥塞控制等领域提出了挑战。

Scalability: Networks must be able to scale easily to meet the demands of moving from current cloud infrastructures of hundreds or a few thousand servers to networks of tens or even hundreds of thousands of servers. This scaling presents challenges in areas such as addressing, routing, and congestion control.

 

图像 性能:大数据安装和云提供商网络中的流量不可预测且变化很大 [ KAND12]。同一机架内的附近服务器之间存在持续的峰值,并且单个源服务器和多个目标服务器之间存在间歇性的高流量。云内网络需要在服务器之间提供可靠的高速直接(逻辑点对点)通信,并具有无拥塞链路,以及数据中心内任意两台服务器之间的统一容量。ITU-T 报告得出的结论是,数据中心当前使用的三层拓扑(接入、聚合和核心)不能很好地满足这些要求。除了网络设备的虚拟化之外,更灵活和动态的数据流控制为提供所需的服务质量提供了更好的基础。

Performance: Traffic in both big data installations and cloud provider networks is unpredictable and quite variable [KAND12]. There are sustained spikes between nearby servers within the same rack and intermittent heavy traffic with a single source server and multiple destination servers. Intracloud networks need to provide reliable high-speed direct (logical point-to-point) communications between servers with congestion-free links, and uniform capacity between any two arbitrary servers within the data center. The ITU-T report concludes that the current three-tier topology (access, aggregation, and core) used in data centers is not well adapted to provide these requirements. A more flexible and dynamic control of data flows, in addition to virtualization of network devices, provides a better foundation for providing the desired quality of service.

 

图像 敏捷性和灵活性:基于云的数据中心需要能够响应和管理云资源利用的高度动态特性。这包括适应虚拟机移动性以及对通过数据中心的流量路由进行细粒度控制的能力。

Agility and flexibility: The cloud-based data center needs to be able to respond and manage the highly dynamic nature of cloud resource utilization. This includes the ability to adapt to virtual machine mobility and to provide fine-grained control of flows routing through the data center.

 

图像 请参阅第 13 章云计算

See Chapter 13, “Cloud Computing

 

我们将在第 13 章云计算”中回到这个讨论。现在,只要指出随着本书的展开,就应该清楚 SDN 和 NFV 的结合非常适合满足前面列表中的要求。

We return to this discussion in Chapter 13, “Cloud Computing.” For now, it suffices to point out that as the book unfolds, it should be clear that the combination of SDN and NFV are well suited to meeting the requirements in the preceding list.

 

移动流量

Mobile Traffic

 

技术创新促成了最初只是移动电话的成功。最新设备的流行,包括多兆位互联网接入、移动应用程序、高像素数码相机、多种类型无线网络的接入(例如 Wi-Fi、蓝牙、3G、4G)以及多种板载传感器,所有这些都增加了这一重大成就。设备变得越来越强大,同时又易于携带。电池寿命增加了(尽管设备能源使用量也增加了),数字技术改善了接收效果并允许更好地利用有限频谱。与许多类型的数字设备一样,与移动设备相关的成本一直在下降。

Technical innovations have contributed to the success of what were originally just mobile phones. The prevalence of the latest devices, with multimegabit Internet access, mobile apps, high megapixel digital cameras, access to multiple types of wireless networks (for example, Wi-Fi, Bluetooth, 3G, 4G), and several onboard sensors, all add to this momentous achievement. Devices have become increasingly powerful while staying easy to carry. Battery life has increased (even though device energy usage has also expanded), and digital technology has improved reception and allowed better use of a finite spectrum. As with many types of digital equipment, the costs associated with mobile devices have been decreasing.

 

无线的第一次热潮是为了语音。现在,人们的注意力集中在数据上;一些无线设备很少用于语音。图 2.5显示了爱立信 [ AKAM15 ] 估计的全球 2G、3G 和 4G 网络(不包括 DVB-H、Wi-Fi 和 Mobile WiMAX)移动总流量的急剧趋势。爱立信在 180 多个国家/地区开展业务,其客户群代表 1000 多个网络,这使其能够测量移动语音和数据量。结果是计算世界总移动流量的代表性基础。

The first rush to wireless was for voice. Now, the attention is on data; some wireless devices are only rarely used for voice. Figure 2.5 shows the dramatic trend in world total mobile traffic in 2G, 3G, and 4G networks (not including DVB-H, Wi-Fi, and Mobile WiMAX) estimated by Ericsson [AKAM15]. Ericsson’s presence in more than 180 countries and its customer base representing more than 1000 networks enable it to measure mobile voice and data volumes. The result is a representative base for calculating world total mobile traffic.

 
图像

图 2.5全球每月移动语音和数据总流量(艾字节/月)[AKAM15]

FIGURE 2.5 World Total Monthly Mobile Voice and Data Traffic (exabytes/month) [AKAM15]

 

移动市场的很大一部分是无线互联网。无线用户使用互联网的方式与固定用户不同,但在许多方面的效率并不逊色。与笔记本电脑或个人电脑等大型设备相比,无线智能手机的显示和输入功能有限,但移动应用程序无需使用网站即可快速访问所需信息。由于无线设备具有位置感知功能,因此可以根据用户的地理位置定制信息。信息找到用户,而不是用户搜索信息。平板电脑设备在 PC 的大屏幕和更好的输入功能与智能手机的便携性之间提供了一个完美的媒介。

A big part of the mobile market is the wireless Internet. Wireless users use the Internet differently than fixed users, but in many ways no less effectively. Wireless smartphones have limited displays and input capabilities compared with larger devices such as laptops or PCs, but mobile apps give quick access to intended information without using websites. Because wireless devices are location aware, information can be tailored to the geographic location of the user. Information finds users, instead of users searching for information. Tablet devices provide a happy medium between the larger screens and better input capabilities of PCs and the portability of smartphones.

 

图 2.6显示了移动企业 IP 流量的预测 [ CISC14 ],其中“企业”一词指的是企业和政府。思科的方法论基于分析师预测、内部估计和预测以及直接数据收集的结合。与蜂窝网络上的移动数据流量一样,移动企业 IP 流量也处于强劲的增长曲线。

Figure 2.6 shows a projection for mobile enterprise IP traffic [CISC14], where the term enterprise refers to businesses and governments. Cisco’s methodology rests on a combination of analyst projections, in-house estimates and forecasts, and direct data collection. As with mobile data traffic over cellular networks, mobile enterprise IP traffic is on a strong growth curve.

 
图像

图 2.6预测每月企业 IP 流量(艾字节/月)[CISC14]

FIGURE 2.6 Forecast Monthly Enterprise IP Traffic (Exabytes/Month) [CISC14]

 

图 2.6将移动流量分为三类:

Figure 2.6 breaks the mobile traffic down into three categories:

 

图像 移动数据流量:穿过移动接入点的所有企业流量

Mobile data traffic: All enterprise traffic that crosses a mobile access point

 

图像 托管 IP 流量:通过 IP 传输但保留在企业 WAN 内的所有企业流量

Managed IP traffic: All enterprise traffic that is transported over IP but remains within the corporate WAN

 

图像 互联网流量:穿过公共互联网的所有企业流量

Internet traffic: All enterprise traffic that crosses the public Internet

 

尽管移动流量是三类企业流量中最小的,但其增长速度比其他两类要快得多。基于思科的预计2013年至2018年企业流量复合年增长率如下:

Although mobile traffic is the smallest of the three categories of enterprise traffic, it is growing much more rapidly than the other two categories. Based on Cisco’s projections, the compound annual growth rate over the period 2013 to 2018 for enterprise traffic is as follows:

 
图像

企业网络需要足够灵活,以处理快速增长的移动数据负载。此类负载的特点是动态改变网络中的物理接入点以及各种弹性和非弹性流量类型。正如您将了解到的,SDN 和 NFV 非常适合应对这种高度动态的负载。

Enterprise networks need to be flexible enough to handle the rapidly growing mobile data load. Such a load is characterized by dynamically changing physical access points into the network and a wide variety of elastic and inelastic traffic types. As you will learn, SDN and NFV are well suited to coping with this highly dynamic load.

 

2.3 要求:QoS 和 QoE

2.3 Requirements: QoS and QoE

 

到目前为止,本章重点讨论了企业网络和互联网承载的流量类型,并研究了为用户提供有效且高效的网络服务带来重大挑战的三个需求领域。本节简要介绍两个概念,它们提供了一种量化企业希望实现的网络性能的方法:服务质量 (QoS) 和体验质量 (QoE)。QoS 和 QoE 使网络管理员能够确定网络是否满足用户需求,并诊断需要调整网络管理和网络流量控制的问题区域。本书的第四部分详细讨论了 QoS 和 QoE 。

So far, this chapter has focused on the types of traffic the enterprise networks and the Internet carry and looked at three areas of demand that create significant challenges for providing effective and efficient network service to users. This section briefly introduces two concepts that provide a way of quantifying the network performance that the enterprise desires to achieve: quality of service (QoS) and quality of experience (QoE). QoS and QoE enable the network manager to determine whether the network is meeting user needs and to diagnose problem areas that require adjustment to network management and network traffic control. QoS and QoE are treated in detail in Part IV of the book.

 

图像 请参阅第四部分定义和支持用户需求

See Part IV, “Defining and Supporting User Needs

 

服务质量

Quality of Service

 

您可以将QoS定义为网络服务的可测量的端到端性能属性,可以通过用户和服务提供商之间的服务级别协议(SLA)提前保证,从而满足特定的客户应用需求。通常指定的属性包括以下内容:

You can define QoS as the measurable end-to-end performance properties of a network service, which can be guaranteed in advance by a service level agreement (SLA) between a user and a service provider, so as to satisfy specific customer application requirements. Commonly specified properties include the following:

 

图像 吞吐量:给定逻辑连接或流量的最小或平均吞吐量,以每秒字节数或每秒位数为单位。

Throughput: A minimum or average throughput, in bytes per second or bits per second, for a given logical connection or traffic flow.

 

图像 延迟:平均或最大延迟。也称为延迟。

Delay: The average or maximum delay. Also called latency.

 

图像 数据包抖动:通常为最大允许抖动。

Packet jitter: Typically, the maximum allowable jitter.

 

图像 错误率:通常为最大错误率,以错误传送的位数表示。

Error rate: Typically maximum error rate, in terms of fraction of bits delivered in error.

 

图像 数据包丢失:数据包丢失的比例。

Packet loss: Fraction of packets lost.

 

图像 优先级:网络可以提供给定数量的优先级。各种业务流的分配级别影响网络处理不同流的方式。

Priority: A network may offer a given number of levels of priority. The assigned level for various traffic flows influences the way in which the different flows are handled by the network.

 

图像 可用性:以可用时间的百分比表示。

Availability: Expressed as a percentage of time available.

 

图像 安全性:可以定义不同级别或类型的安全性。

Security: Different levels or types of security may be defined.

 

QoS 机制可确保业务应用程序继续获得必要的性能保证,即使它们不再运行在专用硬件上(例如当应用程序传输到云时)。基础设施提供的服务质量部分取决于其整体性能和效率。然而,QoS 也是确定特定工作负载优先级并分配所需资源以满足所需服务水平的能力。它可以提供一种在应用程序和虚拟客户之间分配处理器、内存、I/O 和网络流量资源的强大方法。

QoS mechanisms ensure that business applications continue to receive the necessary performance guarantee even though they no longer run on dedicated hardware, such as when applications are transferred to a cloud. The QoS provided by an infrastructure is partially determined by its overall performance and efficiency. However, QoS is also the ability to prioritize specific workloads and allocate the needed resources to meet required service levels. It can offer a powerful way to allocate processor, memory, I/O, and network traffic resources among applications and virtual guests.

 

体验质量

Quality of Experience

 

QoE 是用户报告的性能的主观衡量标准。与可以精确测量的 QoS 不同,QoE 依赖于人的意见。当我们处理多媒体应用程序和多媒体内容交付时,QoE 尤为重要。QoS 提供可测量的定量目标,指导网络的设计和运营,并使客户和提供商能够就网络将为给定应用程序和流量提供的定量性能达成一致。

QoE is a subjective measure of performance as reported by the user. Unlike QoS, which can be precisely measured, QoE relies on human opinion. QoE is important particularly when we deal with multimedia applications and multimedia content delivery. QoS provides measurable, quantitative targets that guide the design and operation of a network and enable customer and provider to agree on what quantitative performance the network will deliver for give applications and traffic flows.

 

然而,QoS 过程本身是不够的,因为它们没有考虑用户对网络性能和服务质量的感知。尽管媒体传输系统可以将最大容量固定为某个值,但这并不一定将多媒体内容的质量固定为“高”。这是因为多媒体内容的编码方式有很多种,从而产生不同的感知质量。网络及其提供的服务的最终衡量标准是用户如何看待网络性能。QoE 通过从最终用户的角度提供有关所交付服务的信息来增强传统的 QoS。

However, QoS processes by themselves are not sufficient in that they do not take into account the user’s perception of network performance and service quality. Although the maximum capacity may be fixed at a certain value by a media transmission system, this does not necessarily fix the quality of the multimedia content at, say, “high.” This is because there are numerous ways the multimedia content could have been encoded, giving rise to differing perceived qualities. The ultimate measure of a network and the services it offers is how subscribers perceive the performance. QoE augments the traditional QoS by providing information regarding the delivered services from an end user point of view.

 

QoE 要求中可以包含多种因素和功能,大致可以分为以下几类:

There is a wide range of factors and features that can be included in a requirement for QoE, which can, roughly, be classified into the following categories:

 

图像 感知:此类别涵盖用户体验的感官方面的质量。对于视频,示例包括清晰度、亮度、对比度、闪烁和失真。音频示例包括清晰度和音色。

Perceptual: This category encompasses the quality of the sensory aspects of the user experience. For video, examples include sharpness, brightness, contrast, flicker, and distortion. Audio examples include clarity and timbre.

 

图像 心理:此类别涉及用户对体验的感受。例子包括易用性、使用乐趣、有用性、感知质量、满意度、烦恼和无聊。

Psychological: This category deals with the user’s feeling about the experience. Examples include ease of use, joy of use, usefulness, perceived quality, satisfaction, annoyance, and boredom.

 

图像 交互:此类别涉及与用户和应用程序或设备之间的交互相关的体验的各个方面,例如响应性、交互自然性、通信效率和可访问性。

Interactive: This category deals with aspects of an experience related to the interaction between the user and the application or device, such as responsiveness, naturalness of interaction, communication efficiency, and accessibility.

 

对于实际应用,这些特征需要转换为定量度量。

For practical application, these features need to be converted to quantitative measures.

 

QoE 管理已成为部署未来成功的应用程序、服务和产品的关键概念。提供 QoE 的最大挑战是开发有效的方法将 QoE 特征转换为定量测量,并将 QoE 测量转换为 QoS 测量。尽管现在可以在网络层和应用层以及终端系统和网络侧轻松测量、监视和控制 QoS,但 QoE 的管理仍然相当复杂。

The management of QoE has become a crucial concept in the deployment of future successful applications, services, and products. The greatest challenges in providing QoE are developing effective methods for converting QoE features to quantitative measures and translating QoE measures to QoS measures. Whereas QoS can now easily be measured, monitored, and controlled at both the networking and application layers, and at both the end system and network sides, QoE is something that is still quite intricate to manage.

 

2.4 路由

2.4 Routing

 

本节和下一节将简要介绍两种对于网络运行及其传输和传送数据包流量的能力至关重要的机制:路由和拥塞控制。详细的了解超出了本书的范围。这里的目的是说明路由和拥塞控制的基本概念,因为它们是支持网络流量并提供 QoS 和 QoE 所需的基本工具。

This section and the next briefly introduce two mechanisms that are fundamental to the operation of a network and its capability to transmit and deliver packet traffic: routing and congestion control. A detailed look is beyond the scope of the book. The purpose here is to indicate the basic concepts of routing and congestion control, because these are the basic tools needed to support network traffic and to provide QoS and QoE.

 

特征

Characteristics

 

互联网的主要功能是接受来自源站的数据包并将其传送到目标站。为了实现这一点,必须确定通过网络的路径或路线;一般来说,可以有不止一条路线。因此,必须执行路由功能。

The primary function of an internet is to accept packets from a source station and deliver them to a destination station. To accomplish this, a path or route through the network must be determined; generally, more than one route is possible. Therefore, a routing function must be performed.

 

路线的选择通常基于一些性能标准。最简单的标准是选择网络中的最小跳数路由(经过最少节点数的路由)。这是一个容易测量的标准,并且应该最大限度地减少网络资源的消耗。最小跳数标准的概括是最低成本路由。在这种情况下,成本与每条链路相关联,并且对于任何一对附连站,寻找累积最小成本的通过网络的路由。

The selection of a route is generally based on some performance criterion. The simplest criterion is to choose the minimum-hop route (one that passes through the least number of nodes) through the network. This is an easily measured criterion and should minimize the consumption of network resources. A generalization of the minimum-hop criterion is least-cost routing. In this case, a cost is associated with each link, and, for any pair of attached stations, the route through the network that accumulates the least cost is sought.

 

图2.7说明了一个网络,其中一对节点之间的两条带箭头的线代表这些节点之间的链路,相应的数字代表每个方向上的当前链路成本。当然,我们关心的是互联网,其中每个节点都是路由器,相邻路由器之间的链路是网络或直接通信链路。从节点 1 到节点 6 的最短路径(最少跳数)为 1-3-6(成本 = 5 + 5 = 10),但成本最小路径为 1-4-5-6(成本 = 1 + 1 + 2 = 4)。

Figure 2.7 illustrates a network in which the two arrowed lines between a pair of nodes represent a link between these nodes, and the corresponding numbers represent the current link cost in each direction. Our concern, of course, is with an internet, in which each node is a router and the links between adjacent routers are networks or direct communications links. The shortest path (fewest hops) from node 1 to node 6 is 1-3-6 (Cost = 5 + 5 = 10), but the least-cost path is 1-4-5-6 (Cost = 1 + 1 + 2 = 4).

 
图像

图 2.7网络架构示例

FIGURE 2.7 Network Architecture Example

 

成本被分配给链接以支持一个或多个设计目标。例如,成本可能与数据速率(即,链路上的数据速率越高,分配的链路成本越低)或当前链路延迟成反比。在第一种情况下,成本最低的路线应提供最高的吞吐量。在第二种情况下,成本最低的路线应该最大限度地减少延迟。路由决策也可以基于其他标准。例如,出于安全考虑,路由策略可能规定某些类型的流量被限制到某些路由。

Costs are assigned to links to support one or more design objectives. For example, the cost could be inversely related to the data rate (that is, the higher the data rate on a link, the lower the assigned cost of the link) or the current link delay. In the first case, the least-cost route should provide the highest throughput. In the second case, the least-cost route should minimize delay. Routing decisions can be based on other criteria as well. For example, a routing policy may dictate that certain types of traffic be restricted to certain routes for security concerns.

 

数据包转发

Packet Forwarding

 

任何路由器的关键功能是接受传入数据包并转发它们。为此,路由器维护转发表。图 2.8显示了如何在图 2.7的网络中实现这一点的简化示例,及其相关的链路成本。路由器的转发表为每个目的地显示路由器上下一个节点的标识。每个路由器可能负责发现适当的路由。或者,网络控制中心可以负责为所有路由器设计路由并维护中央转发表,为每个路由器提供仅与该路由器相关的单独转发表。

The key function of any router is to accept incoming packets and forward them. For this purpose, a router maintains forwarding tables. Figure 2.8 shows a simplified example of how this might be implemented for the network, with its associated link costs, of Figure 2.7. A router’s forwarding table shows, for each destination, the identity of the next node on the router. Each router may be responsible for discovering the appropriate routes. Alternatively, a network control center may be responsible for designing routes for all routers and maintaining a central forwarding table, providing each router with individual forwarding tables relevant only to that router.

 
图像

图 2.8数据包转发表(使用图 2.7

FIGURE 2.8 Packet Forwarding Tables (using Figure 2.7)

 

请注意,没有必要存储每个可能的节点对的完整路由。相反,对于每对节点,知道路线上第一个节点的身份就足够了。

Note that it is not necessary to store the complete route for each possible pair of nodes. Rather, it is sufficient to know, for each pair of nodes, the identity of the first node on the route.

 

在图 2.8的简单示例中,转发决策仅基于目标系统的身份。附加信息通常用于确定转发决策,例如源地址、数据包流标识符或数据包的安全级别:

In the simple example of Figure 2.8, forwarding decisions are based solely on the identity of the destination system. Additional information is often used to determine the forwarding decision, such as the source address, packet flow identifier, or security level of the packet:

 

图像 故障:当节点或链路发生故障时,它不能再用作路由的一部分。

Failure: When a node or link fails, it can no longer be used as part of a route.

 

图像 拥塞当网络的某个特定部分严重拥塞时,最好将数据包路由到周围而不是穿过拥塞区域。

Congestion: When a particular portion of the network is heavily congested, it is desirable to route packets around rather than through the area of congestion.

 

图像 拓扑变化:新链路或节点的插入会影响路由。

Topology change: The insertion of new links or nodes affects routing.

 

为了使自适应路由成为可能,必须在节点之间或节点与中央控制器之间交换有关网络状态的信息。

For adaptive routing to be possible, information about the state of the network must be exchanged among the nodes or between the nodes and a central controller.

 

路由协议

Routing Protocols

 

互联网中的路由器负责通过互连的网络组接收和转发数据包。每个路由器根据互联网的拓扑和流量/延迟条件的知识做出路由决策。因此,路由器之间需要一定程度的动态合作。特别是,路由器必须避免网络中出现故障的部分,并且应该避免网络中出现故障的部分网络拥塞的情况。为了做出此类动态路由决策,路由器使用路由协议交换路由信息。需要有关互联网状态、可以通过哪些路由到达哪些网络以及各种路由的延迟特性的信息。

The routers in an internet are responsible for receiving and forwarding packets through the interconnected set of networks. Each router makes routing decisions based on knowledge of the topology and traffic/delay conditions of the internet. Accordingly, a degree of dynamic cooperation is needed among the routers. In particular, the router must avoid portions of the network that have failed and should avoid portions of the network that are congested. To make such dynamic routing decisions, routers exchange routing information using a routing protocol. Information is needed about the status of the internet, in terms of which networks can be reached by which routes, and the delay characteristics of various routes.

 

本质上有两类路由协议,它们基于自治系统(AS)的概念。我们首先定义AS,然后看这两个类别。AS具有以下特点:

There are essentially two categories of routing protocols, which are based on the concept of an autonomous system (AS). We first define AS and then look at the two categories. An AS exhibits the following characteristics:

 

1. AS 是由单个组织管理的一组路由器和网络。

1. An AS is a set of routers and networks managed by a single organization.

 

2. AS 由一组通过公共路由协议交换信息的路由器组成。

2. An AS consists of a group of routers exchanging information via a common routing protocol.

 

3.除故障时外,AS 均处于连接状态(图论意义上);也就是说,任意一对节点之间都存在一条路径。

3. Except in times of failure, an AS is connected (in a graph-theoretic sense); that is, there is a path between any pair of nodes.

 

共享路由协议(此处称为内部路由器协议 (IRP))在 AS 内的路由器之间传递路由信息。AS内使用的协议不需要在系统外部实现。这种灵活性使得 IRP 能够根据特定的应用程序和要求进行定制。

A shared routing protocol, called here an interior router protocol (IRP), passes routing information between routers within an AS. The protocol used within the AS does not need to be implemented outside of the system. This flexibility allows IRPs to be custom tailored to specific applications and requirements.

 

然而,互联网可能会由多个 AS 构成。例如,办公大楼或校园等站点的所有 LAN 都可以通过路由器链接起来形成 AS。该系统可以通过广域网连接到其他自治系统。图 2.9说明了这种情况。

It may happen, however, that an internet will be constructed of more than one AS. For example, all the LANs at a site, such as an office complex or campus, could be linked by routers to form an AS. This system might be linked through a wide-area network to other autonomous systems. Figure 2.9 illustrates this situation.

 
图像

图 2.9外部和内部路由协议的使用

FIGURE 2.9 Use of Exterior and Interior Routing Protocols

 

在这种情况下,不同自治系统中的路由器使用的路由算法和路由表中的信息可能会有所不同。然而,一个 AS 中的路由器至少需要有关可到达的系统外部网络的最低​​水平的信息。我们将用于在不同自治系统中的路由器之间传递路由信息的协议称为外部路由器协议(ERP)

In this case, the routing algorithms and information in routing tables used by routers in different autonomous systems may differ. Nevertheless, the routers in one AS need at least a minimal level of information concerning networks outside the system that can be reached. We refer to the protocol used to pass routing information between routers in different autonomous systems as an exterior router protocol (ERP).

 

笔记

 

在文献中,术语内部网关协议 (IGP)外部网关协议 (EGP)通常用于表示此处称为 IRP 和 ERP 的内容。然而,由于术语IGPEGP也指特定协议,因此我们在提及一般概念时避免使用它们。

 


Note

 

In the literature, the terms interior gateway protocol (IGP) and exterior gateway protocol (EGP) are often used for what are referred to here as IRP and ERP. However, because the terms IGP and EGP also refer to specific protocols, we avoid their use when referring to the general concepts.

 

 

由于以下原因,您可以预期 ERP 需要传递的信息比 IRP 少。如果数据包要从一个AS中的主机传输到另一个AS中的主机,则第一个系统中的路由器只需确定目标AS并设计进入该目标系统的路由。一旦数据包进入目标AS,该系统内的路由器就可以协作传递数据包;ERP 不关心也不知道目标 AS 内所遵循的路由的详细信息。

You can expect that an ERP will need to pass less information than an IRP for the following reason. If a packet is to be transferred from a host in one AS to a host in another AS, a router in the first system need only determine the target AS and devise a route to get into that target system. Once the packet enters the target AS, the routers within that system can cooperate to deliver the packet; the ERP is not concerned with, and does not know about, the details of the route followed within the target AS.

 

路由器的组成部分

Elements of a Router

 

图 2.10从路由功能的角度描述了路由器的主要元素。

Figure 2.10 depicts the principal elements of a router, from the point of view of its routing function.

 
图像

图 2.10路由器的元件

FIGURE 2.10 Elements of a Router

 

任何给定的路由器都连接有许多 I/O 端口:一个或多个连接到其他路由器,零个或多个连接到终端系统。在每个端口上,数据包到达和离开。您可以认为每个端口有两个缓冲区或队列:一个用于接受到达的数据包,另一个用于保存等待离开的数据包。实际上,每个端口可能有两个固定大小的缓冲区,或者可能有一个可用于所有缓冲活动的内存池。在后一种情况下,您可以认为每个端口都有两个与其关联的可变大小缓冲区,但受到所有缓冲区大小之和为常数的约束。

Any given router has a number of I/O ports attached to it: one or more to other routers, and zero or more to end systems. On each port, packets arrive and depart. You can consider that there are two buffers, or queues, at each port: one to accept arriving packets, and one to hold packets that are waiting to depart. In practice, there might be two fixed-size buffers associated with each port, or there might be a pool of memory available for all buffering activities. In the latter case, you can think of each port having two variable-size buffers associated with it, subject to the constraint that the sum of all buffer sizes is a constant.

 

在任何情况下,当数据包到达时,它们都会被存储在相应端口的输入缓冲区中。路由器检查每个传入数据包,根据转发表做出路由决策,然后将数据包移动到适当的输出缓冲区。排队等待输出的数据包会尽快传输。每个输出队列都可以作为简单的先进先出 (FIFO) 队列进行操作。更常见的是,使用更复杂的排队规则来考虑排队数据包的相对优先级。一组路由策略还可能影响转发表的构造以及如何处理各种数据包。策略不仅可以确定目的地地址的路由,还可以确定其他因素,例如源地址、数据包大小和有效负载的协议。

In any case, as packets arrive, they are stored in the input buffer of the corresponding port. The router examines each incoming packet, makes a routing decision based on the forwarding tables, and then moves the packet to the appropriate output buffer. Packets queued for output are transmitted as rapidly as possible. Each output queue can be operated as a simple first-in, first-out (FIFO) queue. More commonly, a more complex queuing discipline is used, to take into account the relative priority of the queued packets. A set of routing policies may also influence the construction of the forwarding tables and how various packets are to be treated. Policies may determine routing not just on the destination address but other factors, such as source address, packet size, and protocol of the payload.

 

图 2.10所示的最后一个元素是路由控制功能。该功能包括路由协议的执行、路由表的自适应维护以及监督拥塞控制策略。

The final element shown in Figure 2.10 is a routing control function. This function includes execution of routing protocols, adaptive maintenance of the routing tables, and supervising congestion control policies.

 

2.5 拥塞控制

2.5 Congestion Control

 

如果互联网上的流量需求超过容量,或者互联网不能有效地管理流量,就会发生拥塞。本节简要概述拥塞的影响以及拥塞控制方法的一般介绍。

If the traffic demand on an internet exceeds capacity, or if the internet does not manage the traffic efficiently, congestion will occur. This section provides a brief overview of the effects of congestion and a general introduction to approaches to congestion control.

 

拥堵的影响

Effects of Congestion

 

如果数据包到达速度太快,路由器无法处理它们(即做出路由决策),或者速度快于数据包从传出缓冲区中清除的速度,则最终数据包到达时将没有可用内存。当达到这样的饱和点时,可以采用两种一般策略之一。第一个这样的策略是丢弃任何没有可用缓冲区空间的传入数据包。另一种方法是,遇到这些问题的节点对其邻居实施某种流量控制,以便流量保持可控。但是,如图2.11所示,每个节点的邻居还管理着多个队列。如果节点 6 限制来自节点 5 的数据包流,则会导致节点 5 中通往节点 6 的端口的输出缓冲区被填满。因此,网络中某一点的拥塞可以快速传播到整个区域或整个网络。虽然流量控制确实是一个强大的工具,但您需要以管理整个网络流量的方式使用它。

If packets arrive too fast for a router to process them (that is, make routing decisions) or faster than packets can be cleared from the outgoing buffers, eventually packets will arrive for which no memory is available. When such a saturation point is reached, one of two general strategies can be adopted. The first such strategy is to discard any incoming packet for which there is no available buffer space. The alternative is for the node that is experiencing these problems to exercise some sort of flow control over its neighbors so that the traffic flow remains manageable. But, as Figure 2.11 illustrates, each of a node’s neighbors is also managing a number of queues. If node 6 restrains the flow of packets from node 5, this causes the output buffer in node 5 for the port to node 6 to fill up. Thus, congestion at one point in the network can quickly propagate throughout a region or the entire network. Although flow control is indeed a powerful tool, you need to use it in such a way as to manage the traffic on the entire network.

 
图像

图 2.11数据网络中队列的交互

FIGURE 2.11 Interaction of Queues in a Data Network

 
理想的性能
 

图 2.12显示了网络利用率的理想目标。

Figure 2.12 suggests the ideal goal for network utilization.

 
图像

图 2.12理想的网络利用率

FIGURE 2.12 Ideal Network Utilization

 

上图绘制了通过网络的稳态总吞吐量(传送到目标端系统的数据包数量)作为所提供负载(源端系统传输的数据包数量)的函数,两者均归一化为网络的最大理论吞吐量。网络。在理想情况下,网络的吞吐量会增加以适应负载,直至所提供的负载等于网络的全部容量;那么在较高输入负载下标准化吞吐量保持在 1.0。但请注意,即使假设理想性能,平均数据包所经历的端到端延迟也会发生什么。在负载可忽略不计的情况下,存在一些小的恒定延迟量,其中包括从源到目的地的网络传播延迟加上每个节点的处理延迟。随着网络负载的增加,每个节点的排队延迟都会添加到这个固定的延迟量中。即使没有超过总网络容量,延迟也会增加的原因与每个节点的负载变化有关。具有多个来源向网络提供数据时,即使每个源以固定间隔生成数据包,每个单独网络节点的输入速率也会出现波动。当突发的数据包到达某个节点时,需要一些时间来清除积压的数据。当它清除积压时,它会发送持续的数据包突发,从而对下游节点施加数据包突发。一旦队列在节点上建立起来,即使数据包仅以节点在给定时间段内可以处理的速率到达,这些数据包也必须在队列中等待,从而经历额外的延迟。这是排队论的标准结果:如果到达率不是恒定的,则延迟将随着负载的增加而增加。

The top graph plots the steady-state total throughput (number of packets delivered to destination end systems) through the network as a function of the offered load (number of packets transmitted by source end systems), both normalized to the maximum theoretical throughput of the network. In the ideal case, the throughput of the network increases to accommodate load up to an offered load equal to the full capacity of the network; then normalized throughput remains at 1.0 at higher input loads. Note, however, what happens to the end-to-end delay experienced by the average packet even with this assumption of ideal performance. At negligible load, there is some small constant amount of delay that consists of the propagation delay through the network from source to destination plus processing delay at each node. As the load on the network increases, queuing delays at each node are added to this fixed amount of delay. The reason for the increase in delay even when the total network capacity is not exceeded has to do with the variability in load at each node. With multiple sources supplying data to the network, even if each source produced packets at fixed intervals, there will be fluctuation in the input rate at each individual network node. When a burst of packets arrives at a node, it will take some time to clear the backlog. As it is clearing the backlog, it is sending out a sustained burst of packets, thus imposing packet bursts on downstream node. And once a queue builds up at a node, even if packets only arrive at a rate the node can handle during a given time period, those packets have to wait their turn in the queue, and thus experience additional delay. This is a standard result of queuing theory: delays will grow with increasing load if the arrival rate is not constant.

 

当负载超过网络容量时,延迟会无限增加。这是为什么延迟必须达到无穷大的简单直观解释。假设网络中的每个节点都配备了无限大小的缓冲区,并假设输入负载超过网络容量。在理想条件下,网络将继续维持 1.0 的标准化吞吐量。因此,数据包离开网络的速率为1.0。由于数据包进入网络的速率大于 1.0,因此内部队列大小会增长。在稳定状态下,当输入大于输出时,这些队列大小会无限增长,因此排队延迟会无限增长。

When the load exceeds the network capacity, delays increase without bound. Here is a simple intuitive explanation of why delay must go to infinity. Suppose that each node in the network is equipped with buffers of infinite size and suppose that the input load exceeds network capacity. Under ideal conditions, the network will continue to sustain a normalized throughput of 1.0. Therefore, the rate of packets leaving the network is 1.0. Because the rate of packets entering the network is greater than 1.0, internal queue sizes grow. In the steady state, with input greater than output, these queue sizes grow without bound and therefore queuing delays grow without bound.

 

在研究实际情况之前,理解图 2.12的含义非常重要。这个数字代表了所有交通和拥塞控制方案的理想但无法实现的目标。任何方案都无法超越图 2.12所示的性能。

It is important to grasp the meaning of Figure 2.12 before looking at real-world conditions. This figure represents the ideal, but unattainable, goal of all traffic and congestion control schemes. No scheme can exceed the performance depicted in Figure 2.12.

 
实际表现
 

图 2.12中反映的理想情况假设有无限缓冲区并且没有与拥塞控制相关的开销。实际上,缓冲区是有限的,导致缓冲区溢出,并且控制拥塞的尝试会消耗控制信号交换中的网络容量。

The ideal case reflected in Figure 2.12 assumes infinite buffers and no overhead related to congestion control. In practice, buffers are finite, leading to buffer overflow, and attempts to control congestion consume network capacity in the exchange of control signals.

 

考虑一下如果不尝试控制拥塞或限制来自终端系统的输入,在具有有限缓冲区的网络中会发生什么。当然,细节会根据网络架构和所呈现流量的统计数据而有所不同;然而,图 2.13中的图表概括地描述了破坏性结果。

Consider what happens in a network with finite buffers if no attempt is made to control congestion or to restrain input from end systems. The details, of course, differ depending on network architecture and on the statistics of the presented traffic; however, the graphs in Figure 2.13 depict the devastating outcome in general terms.

 
图像

图 2.13拥塞的影响

FIGURE 2.13 The Effects of Congestion

 

在轻负载时,吞吐量和网络利用率随着所提供负载的增加而增加。随着负载继续增加,会达到一个点(图中的 A 点),超过该点网络吞吐量的增加速度将低于所提供负载的增加速度。这是因为网络进入中度拥塞状态。在该区域,网络继续应对负载,但延迟有所增加。吞吐量与理想值的偏离是由多种因素造成的。一方面,负载不太可能均匀分布在整个网络中。因此,虽然一些节点可能经历中度拥塞,但其他节点可能经历严重拥塞并且可能需要丢弃流量。另外,随着负载的增加,网络尝试通过将数据包路由到拥塞程度较低的区域来平衡负载。为了使路由功能发挥作用,节点之间必须交换更多数量的路由消息,以相互警告拥塞区域;这种开销减少了数据包的可用容量。

At light loads, throughput and hence network utilization increases as the offered load increases. As the load continues to increase, a point is reached (point A in the plot) beyond which the throughput of the network increases at a rate slower than the rate at which offered load is increased. This is because of network entry into a moderate congestion state. In this region, the network continues to cope with the load, although with increased delays. The departure of throughput from the ideal is accounted for by a number of factors. For one thing, the load is unlikely to be spread uniformly throughout the network. Therefore, while some nodes may experience moderate congestion, others may be experiencing severe congestion and may need to discard traffic. In addition, as the load increases, the network attempts to balance the load by routing packets through areas of lower congestion. For the routing function to work, an increased number of routing messages must be exchanged between nodes to alert each other to areas of congestion; this overhead reduces the capacity available for data packets.

 

随着网络负载的不断增加,各个节点的队列长度不断增长。最终,到达一个点(图中的点 B),超过该点吞吐量实际上会随着提供负载的增加而下降。原因是每个节点的缓冲区大小有限。当节点的缓冲区已满时,该节点必须丢弃数据包。因此,除了新的数据包之外,源还必须重新传输被丢弃的数据包。这只会加剧这种情况:随着越来越多的数据包被重新传输,系统上的负载不断增加,并且更多的缓冲区变得饱和。当系统拼命清除积压的数据时,用户正在将新旧数据包注入系统。即使成功传送的数据包也可能会因为花费太长时间而在更高层(例如传输层)重传,确认它们:发送方假设数据包未通过并重新传输。在这种情况下,系统的有效容量降至零。

As the load on the network continues to increase, the queue lengths of the various nodes continue to grow. Eventually, a point is reached (point B in the plot) beyond which throughput actually drops with increased offered load. The reason for this is that the buffers at each node are of finite size. When the buffers at a node become full, the node must discard packets. Therefore, the sources must retransmit the discarded packets in addition to new packets. This only exacerbates the situation: As more and more packets are retransmitted, the load on the system grows, and more buffers become saturated. While the system is trying desperately to clear the backlog, users are pumping old and new packets into the system. Even successfully delivered packets may be retransmitted because it takes too long, at a higher layer (for example, transport layer), to acknowledge them: The sender assumes the packet did not get through and retransmits. Under these circumstances, the effective capacity of the system declines to zero.

 

拥塞控制技术

Congestion Control Techniques

 

图 2.14概括地描述了重要的拥塞控制技术。本节将逐一研究这些内容。

Figure 2.14 provides a general depiction of important congestion control techniques. This section examines each of these.

 
图像

图 2.14拥塞控制机制

FIGURE 2.14 Mechanisms for Congestion Control

 
背压
 

背压可以基于链路或逻辑连接(例如虚拟电路)施加。再次参考图 2.11,如果节点 6 变得拥塞(缓冲区填满),节点 6 可以减慢或停止来自节点 5(或节点 3,或节点 5 和 3)的所有数据包流。如果此限制持续存在,节点 5 将需要减慢或停止其传入链路上的流量。此流量限制向后传播(与数据流量相反)到源,这些源在进入网络的新数据包流中受到限制。

Backpressure can be exerted on the basis of links or logical connections (for example, virtual circuits). Referring again to Figure 2.11, if node 6 becomes congested (buffers fill up), node 6 can slow down or halt the flow of all packets from node 5 (or node 3, or both nodes 5 and 3). If this restriction persists, node 5 will need to slow down or halt traffic on its incoming links. This flow restriction propagates backward (against the flow of data traffic) to sources, which are restricted in the flow of new packets into the network.

 

数据链路层协议的流量控制机制自动调用特定链路上所有流量的背压。背压还可以选择性地应用于逻辑连接,以便仅在某些连接(通常是流量最大的连接)上限制或停止从一个节点到下一个节点的流量。在这种情况下,限制会沿着到源的连接传播回去。这种机制用于帧中继和异步传输模式(ATM)网络。然而,这些网络的使用已大大减少,取而代之的是以太网运营商网络和基于 IP 的多协议标签交换 (MPLS) 网络。

Backpressure for all traffic on a particular link is automatically invoked by the flow control mechanisms of data link layer protocols. Backpressure can also be selectively applied to logical connections, so that the flow from one node to the next is only restricted or halted on some connections, generally the ones with the most traffic. In this case, the restriction propagates back along the connection to the source. Such a mechanism is used in Frame Relay and Asynchronous Transfer Mode (ATM) networks. However, the use of these networks has declined considerably in favor of Ethernet carrier networks and IP-based Multiprotocol Label Switching (MPLS) networks.

 
扼流包
 

阻塞数据包是在拥塞节点处生成并发送回源节点以限制流量的控制数据包。路由器或目的地端系统可以将此消息发送到源端系统,请求其降低向互联网目的地发送流量的速率。收到阻塞数据包后,源主机应降低向指定目的地发送流量的速率,直到不再接收阻塞数据包。由于缓冲区已满而必须丢弃 IP 数据报的路由器或主机可以使用阻塞数据包。在这种情况下,路由器或主机将为它丢弃的每个数据包发出一个阻塞数据包。此外,系统可以预见拥塞,并在其缓冲区接近容量时发出阻塞数据包。在这种情况下,阻塞数据包中提到的数据包很可能会被传递。因此,收到阻塞数据包并不意味着相应数据包的传送或未传送。

A choke packet is a control packet generated at a congested node and transmitted back to a source node to restrict traffic flow. Either a router or a destination end system may send this message to a source end system, requesting that it reduce the rate at which it is sending traffic to the internet destination. On receipt of a choke packet, the source host should cut back the rate at which it is sending traffic to the specified destination until it no longer receives choke packets. The choke packet can be used by a router or host that must discard IP datagrams because of a full buffer. In that case, the router or host will issue a choke packet for every packet that it discards. In addition, a system may anticipate congestion and issue choke packets when its buffers approach capacity. In that case, the packet referred to in the choke packet may well be delivered. Therefore, receipt of a choke packet does not imply delivery or nondelivery of the corresponding packet.

 
隐式拥塞信号
 

当网络发生拥塞时,可能会发生两种情况:

When network congestion occurs, two things may happen:

 

1.单个数据包从源到目的地的传输延迟增加,使其明显长于固定传播延迟,并且

1. The transmission delay for an individual packet from source to destination increases, so that it is noticeably longer than the fixed propagation delay, and

 

2.报文被丢弃。

2. Packets are discarded.

 

如果源可以检测到延迟增加和数据包丢弃,则它具有网络拥塞的隐含证据。如果所有源都能检测到拥塞,并根据拥塞情况做出响应,减少流量,网络拥塞就会得到缓解。因此,基于隐式信令的拥塞控制是端系统的责任,不需要网络节点采取行动。

If a source can detect increased delays and packet discards, it has implicit evidence of network congestion. If all sources can detect congestion and, in response, reduce flow on the basis of congestion, the network congestion will be relieved. Therefore, congestion control on the basis of implicit signaling is the responsibility of end systems and does not require action on the part of network nodes.

 

隐式信令是无连接或数据报网络(例如基于 IP 的互联网)中的一种有效拥塞控制技术。在这种情况下,互联网上不存在可以调节流量的逻辑连接。然而,在两个端系统之间,可以在TCP级别建立逻辑连接。TCP 包括用于确认 TCP 段接收以及用于调节 TCP 连接上源和目标之间的数据流的机制。

Implicit signaling is an effective congestion control technique in connectionless, or datagram, networks, such as IP-based internets. In such cases, there are no logical connections through the internet on which flow can be regulated. However, between the two end systems, logical connections can be established at the TCP level. TCP includes mechanisms for acknowledging receipt of TCP segments and for regulating the flow of data between source and destination on a TCP connection.

 
显式拥塞信号
 

人们希望尽可能多地使用网络中的可用容量,但仍然以受控和公平的方式对拥塞做出反应。这就是显式拥塞避免技术的目的。一般而言,为了明确避免拥塞,网络会向终端系统发出网络内拥塞日益严重的警报,并且终端系统会采取措施减少向网络提供的负载。

It is desirable to use as much of the available capacity in a network as possible but still react to congestion in a controlled and fair manner. This is the purpose of explicit congestion avoidance techniques. In general terms, for explicit congestion avoidance, the network alerts end systems to growing congestion within the network and the end systems take steps to reduce the offered load to the network.

 

显式拥塞信令方法可以在两个方向之一发挥作用:

Explicit congestion signaling approaches can work in one of two directions:

 

图像 向后:通知源应启动拥塞避免程序(如果适用于收到通知的相反方向的流量)。表明用户在该逻辑连接上传输的报文可能会遇到资源拥塞。通过改变前往要控制的源的数据分组的报头中的位或者通过向源发送单独的控制分组来发送后向信息。

Backward: Notifies the source that congestion avoidance procedures should be initiated where applicable for traffic in the opposite direction of the received notification. It indicates that the packets that the user transmits on this logical connection may encounter congested resources. Backward information is transmitted either by altering bits in a header of a data packet headed for the source to be controlled or by transmitting separate control packets to the source.

 

图像 转发:通知用户应启动拥塞避免程序(如果适用于与收到的通知方向相同的流量)。它表明该数据包在该逻辑连接上遇到了资源拥塞。同样,该信息可以作为数据包中改变的位或在单独的控制包中传输。在某些方案中,当端系统接收到前向信号时,它会沿着到源的逻辑连接将信号回显。在其他方案中,期望端系统在更高层(例如TCP)对源端系统进行流量控制。

Forward: Notifies the user that congestion avoidance procedures should be initiated where applicable for traffic in the same direction as the received notification. It indicates that this packet, on this logical connection, has encountered congested resources. Again, this information may be transmitted either as altered bits in data packets or in separate control packets. In some schemes, when a forward signal is received by an end system, it echoes the signal back along the logical connection to the source. In other schemes, the end system is expected to exercise flow control upon the source end system at a higher layer (for example, TCP).

 

您可以将显式拥塞信令方法分为三大类:

You can divide explicit congestion signaling approaches into three general categories:

 

图像 二进制:当数据包由拥塞节点转发时,在数据包中设置一个位。当源接收到逻辑连接上拥塞的二进制指示时,它可能会减少其流量。

Binary: A bit is set in a data packet as it is forwarded by the congested node. When a source receives a binary indication of congestion on a logical connection, it may reduce its traffic flow.

 

图像 基于信用:这些方案基于通过逻辑连接向源提供明确的信用。信用值指示源可以传输多少个八位位组或多少个数据包。当信用用尽时,源必须等待额外的信用才能发送额外的数据。基于信用的方案在端到端流量控制中很常见,其中目的地系统使用信用来防止源溢出目的地缓冲区,但是基于信用的方案也被考虑用于拥塞控制。基于信用的方案在帧中继和 ATM 网络中定义。

Credit based: These schemes are based on providing an explicit credit to a source over a logical connection. The credit indicates how many octets or how many packets the source may transmit. When the credit is exhausted, the source must await additional credit before sending additional data. Credit-based schemes are common for end-to-end flow control, in which a destination system uses credit to prevent the source from overflowing the destination buffers, but credit-based schemes have also been considered for congestion control. Credit-based schemes are defined in Frame Relay and ATM networks.

 

图像 基于速率:这些方案基于通过逻辑连接向源提供明确的数据速率限制。源可以以高达设定限制的速率传输数据。为了控制拥塞,连接路径上的任何节点都可以降低发送至源的控制消息中的数据速率限制。

Rate based: These schemes are based on providing an explicit data rate limit to the source over a logical connection. The source may transmit data at a rate up to the set limit. To control congestion, any node along the path of the connection can reduce the data rate limit in a control message to the source.

 

2.6 SDN和NFV

2.6 SDN and NFV

 

随着大数据、云计算和移动流量等高要求来源产生的网络流量数量和种类不断增加,满足严格的 QoS 和 QoE 要求变得越来越困难。网络需要更具适应性和可扩展性。为了提供适应性和可扩展性,各种网络服务和应用提供商正在快速部署的两项关键技术是软件定义网络(SDN)和网络功能虚拟化(NFV)。由于这两个主题占据了本书的大部分内容,因此这里只做一个简单的介绍是合适的。

With the ever-increasing volume and variety of network traffic, generated by such high-demand sources as big data, cloud computing, and mobile traffic, it becomes increasingly difficult to meet stringent QoS and QoE requirements. Networks need to be more adaptable and scalable. To provide adaptability and scalability, two key technologies that are rapidly being deployed by a variety of network service and application providers are software-defined networking (SDN) and network functions virtualization (NFV). Because these two topics occupy a large portion of this book, only a brief introduction is appropriate here.

 

软件定义网络

Software-Defined Networking

 

SDN 已经达到了取代传统网络模型的临界点。软件定义网络提供了更高水平的灵活性和可定制性,以满足云、移动、社交网络和视频等新网络和 IT 趋势的需求。

SDN has reached a tipping point at which it is replacing the traditional networking model. Software-defined networks provide an enhanced level of flexibility and customizability to meet the needs of newer networking and IT trends such as cloud, mobility, social networking, and video.

 
SDN功能
 

通过路由器转发数据包涉及的两个元素是控制功能和数据功能,控制功能决定流量所采用的路由和流量的相对优先级,数据功能根据控制功能策略转发数据。在 SDN 之前,这些功能是在每个网络设备(路由器、网桥、数据包交换机等)上以集成方式执行的。这种传统网络中的控制是通过在每个网络节点中实现的路由和控制网络协议来执行。这种方法相对不灵活,并且需要所有网络节点实现相同的协议。通过SDN,中央控制器执行所有复杂的功能,包括路由、命名、策略声明和安全检查(见图2.15)。

The two elements involved in forwarding packets through routers are a control function, which decides the route the traffic takes and the relative priority of traffic, and a data function, which forwards data based on control-function policy. Prior to SDN, these functions were performed in an integrated fashion at each network device (router, bridge, packet switch, and so on). Control in such a traditional network is exercised by means of a routing and control network protocol that is implemented in each network node. This approach is relatively inflexible and requires all the network nodes to implement the same protocols. With SDN, a central controller performs all complex functionality, including routing, naming, policy declaration, and security checks (see Figure 2.15).

 
图像

图 2.15软件定义网络

FIGURE 2.15 Software-Defined Networking

 

图像 请参阅第二部分软件定义网络

See Part II, “Software-Defined Networks

 

这就构成了SDN控制平面,由一个或多个SDN控制器组成。SDN 控制器定义 SDN 数据平面中发生的数据流。通过网络的每个流量均由控制器配置,控制器验证网络策略是否允许通信。如果控制器允许端系统请求的流,它会计算该流所采用的路由,并在沿路径的每个交换机中添加该流的条目。由于控制器包含了所有复杂的功能,交换机只需管理流表,其条目只能由控制器填充。交换机构成了数据平面。控制器和交换机之间的通信使用标准化协议。

This constitutes the SDN control plane, and consists of one or more SDN controllers. The SDN controller defines the data flows that occur in the SDN data plane. Each flow through the network is configured by the controller, which verifies that the communication is permissible by the network policy. If the controller allows a flow requested by an end system, it computes a route for the flow to take, and adds an entry for that flow in each of the switches along the path. With all complex function subsumed by the controller, switches simply manage flow tables whose entries can only be populated by the controller. The switches constitute the data plane. Communication between the controller and the switches uses a standardized protocol.

 
关键驱动因素
 

SDN 的驱动因素之一是服务器虚拟化的日益广泛使用。从本质上讲,服务器虚拟化向服务器用户隐藏了服务器资源,包括单个物理服务器、处理器和操作系统的数量和身份。这使得可以将一台机器划分为多个独立的服务器,从而节省硬件资源。它还可以将服务器从一台机器快速迁移到另一台机器,以实现负载平衡或在机器故障时进行动态切换。服务器虚拟化已成为处理大数据应用和实施云计算基础设施的核心要素。但这给传统网络架构带来了问题。一个问题是配置虚拟 LAN。网络管理员需要确保虚拟机 (VM) 使用的 VLAN 分配给与运行 VM 的物理服务器相同的交换机端口。但由于虚拟机是可移动的,每次移动虚拟服务器时都需要重新配置VLAN。一般来说,为了匹配服务器虚拟化的灵活性,网络管理员需要能够动态添加、删除和更改网络资源和配置文件。这对于传统的网络交换机来说是很难做到的,在传统的网络交换机中,每个交换机的控制逻辑与交换逻辑并置。

One driving factor for SDN is the increasingly widespread use of server virtualization. In essence, server virtualization masks server resources, including the number and identity of individual physical servers, processors, and operating systems, from server users. This makes it possible to partition a single machine into multiple, independent servers, conserving hardware resources. It also makes it possible to quickly migrate a server from one machine to another for load balancing or for dynamic switchover in the case of machine failure. Server virtualization has become a central element in dealing with big data applications and in implementing cloud computing infrastructures. But it creates problems with traditional network architectures. One problem is configuring virtual LANs. Network managers need to make sure the VLAN used by the virtual machine (VM) is assigned to the same switch port as the physical server running the VM. But with the VM being movable, it is necessary to reconfigure the VLAN every time that a virtual server is moved. In general terms, to match the flexibility of server virtualization, the network manager needs to be able to dynamically add, drop, and change network resources and profiles. This is difficult to do with conventional network switches, in which the control logic for each switch is collocated with the switching logic.

 

服务器虚拟化的另一个影响是流量与传统的客户端/服务器模型有很大不同。通常,虚拟服务器之间存在大量流量,用于维护数据库映像的一致性和调用访问控制等安全功能。这些服务器到服务器的流量的位置和强度随着时间的推移而变化,需要灵活的方法来管理网络资源。

Another effect of server virtualization is that traffic flows differ substantially from the traditional client/server model. Typically, there is a considerable amount of traffic among virtual servers, for such purposes as maintaining consistent images of database and invoking security functions such as access control. These server-to-server flows change in location and intensity over time, demanding a flexible approach to managing network resources.

 

导致网络资源分配需要快速响应的另一个因素是员工越来越多地使用智能手机、平板电脑和笔记本电脑等移动设备来访问企业资源。这些设备可以在网络上添加快速变化且不可预测的大负载,并且可以快速改变其网络连接点。网络管理员必须能够响应移动设备快速变化的资源、QoS 和安全要求。

Another factor leading to the need for rapid response in allocating network resources is the increasing use by employees of mobile devices, such as smartphones, tablets, and notebooks to access enterprise resources. These devices can add fast-changing and unpredictable large loads on the network, and can rapidly change their network attachment point. Network managers must be able to respond to rapidly changing resource, QoS, and security requirements for mobile devices.

 

现有的网络基础设施可以响应不断变化的流量管理需求,为各个流量提供差异化​​的 QoS 级别和安全级别,但如果企业网络规模较大或涉及多个供应商的网络设备,则该过程可能非常耗时。网络管理员必须单独配置每个供应商的设备,并根据每个会话、每个应用程序调整性能和安全参数。在大型企业中,每次启动新虚拟机时,网络管理员可能需要数小时甚至数天的时间才能进行必要的重新配置。

Existing network infrastructures can respond to changing requirements for the management of traffic flows, providing differentiated QoS levels and security levels for individual flows, but the process can be very time-consuming if the enterprise network is large or involves network devices from multiple vendors. The network manager must configure each vendor’s equipment separately, and adjust performance and security parameters on a per-session, per-application basis. In a large enterprise, every time a new VM is brought up, it can take hours or even days for network managers to do the necessary reconfiguration.

 

网络功能虚拟化

Network Functions Virtualization

 

关于SDN的讨论提到,SDN部署的一个关键驱动因素是需要为虚拟化服务器的广泛使用提供灵活的网络响应。直到最近,互联网或企业网络上的虚拟机技术还被用于应用程序级服务器功能,例如数据库服务器、云服务器、Web 服务器、电子邮件服务器等。然而,同样的技术同样可以应用于网络设备,例如路由器、LAN 交换机、防火墙和 IDS/IPS 服务器(见图2.16)。

The discussion of SDN mentioned that a key driving factor in the deployment of SDN is the need to provide flexible network response to the widespread use of virtualized servers. VM technology over the Internet or an enterprise network has, until recently, been used for application-level server functions such as database servers, cloud servers, web servers, e-mail servers, and so on. This same technology, however, can equally be applied to network devices, such as routers, LAN switches, firewalls, and IDS/IPS servers (see Figure 2.16).

 
图像

图 2.16网络功能虚拟化

FIGURE 2.16 Network Functions Virtualization

 

图像 请参阅第三部分虚拟化

See Part III, “Virtualization

 

网络功能虚拟化 (NFV)将路由、防火墙、入侵检测和网络地址转换等网络功能与专有硬件平台解耦,并在软件中实现这些功能。它利用在高性能硬件上运行的标准虚拟化技术来虚拟化网络功能。它适用于有线和无线网络基础设施中的任何数据平面处理或控制平面功能。

Network functions virtualization (NFV) decouples network functions, such as routing, firewalling, intrusion detection, and Network Address Translation from proprietary hardware platforms and implements these functions in software. It utilizes standard virtualization technologies that run on high-performance hardware to virtualize network functions. It is applicable to any data plane processing or control plane function in both wired and wireless network infrastructures.

 

NFV 与 SDN 有许多共同特征。他们有以下共同目标:

NFV has a number of features in common with SDN. They share the following objectives:

 

图像将功能移至软件

Move functionality to software

 

图像使用商用硬件平台而不是专有平台

Use commodity hardware platforms instead of proprietary platforms

 

图像使用标准化或开放的应用程序编程接口 (API)

Use standardized or open application program interfaces (APIs)

 

图像支持网络功能更高效的演进、部署和重新定位

Support more efficient evolution, deployment, and repositioning of network functions

 

NFV和SDN是独立但互补的方案。SDN解耦了网络流量控制的数据平面和控制平面,使得网络流量的控制和路由更加灵活高效。NFV通过虚拟化将网络功能与特定硬件平台解耦,使这些功能的提供更加高效、灵活。虚拟化可应用于路由器的数据平面功能和其他网络功能,包括SDN控制器功能。因此,两者都可以单独使用,但两者可以结合起来以获得更大的好处。

NFV and SDN are independent but complementary schemes. SDN decouples the data and control planes of network traffic control, making the control and routing of network traffic more flexible and efficient. NFV decouples network functions from specific hardware platforms via virtualization to make the provision of these functions more efficient and flexible. Virtualization can be applied to the data plane functions of the routers and other network functions, including SDN controller functions. So, either can be used alone, but the two can be combined to reap greater benefits.

 

2.7 现代网络元素

2.7 Modern Networking Elements

 

本章最后粗略地描述了本书中讨论的现代网络的主要元素如何组合在一起(见图2.17)。接下来的讨论自下而上地贯穿该图。

This chapter ends with a rough depiction of how the major elements of modern networking treated in this book fit together (see Figure 2.17). The discussion that follows works through this figure from the bottom up.

 
图像

图 2.17现代网络架构

FIGURE 2.17 Modern Networking Schema

 

最终,网络服务提供商关心的是网络设备集(例如路由器)以及它们执行的功能(例如数据包转发)的控制和管理。如果使用NFV,这些网络功能是在软件中实现并在虚拟机上执行。相反,如果网络功能在专用机器上实现并使用 SDN,则控制功能将在与网络设备交互的中央 SDN 控制器上实现。

Ultimately, the concern of a network service provider is about the set of network devices (such as routers) and the control and management of the functions they perform (such as packet forwarding). If NFV is used, these network functions are implemented in software and executed on VMs. If instead the network functions are implemented on dedicated machines and SDN is used, the control functions are implemented on central SDN controllers, which interact with the network devices.

 

然而,SDN 和 NFV 并不相互排斥。如果网络同时实施 SDN 和 NFV,则以下关系成立:

However, SDN and NFV are not mutually exclusive. If both SDN and NFV are implemented for a network, the following relationships hold:

 

图像网络数据平面功能在虚拟机上实现。

Network data plane functionality is implemented on VMs.

 

图像控制平面功能可以在专用SDN平台或SDN VM上实现。

The control plane functionality may be implemented on a dedicated SDN platform or on an SDN VM.

 

无论哪种情况,SDN 控制器都会与虚拟机上运行的数据平面功能进行交互。

In either case, the SDN controller interacts with the data plane functions running on VMs.

 

QoS 度量通常用于指定各种网络客户或用户所需的服务,并规定网络上使用的流量管理策略。直到最近,常见的情况是在既不使用 NFV 也不使用 SDN 的网络上实施 QoS。在这种情况下,必须使用各种自动和手动技术直接在网络设备上配置路由和流量控制策略。如果实施 NFV 但未实施 SDN,则 QoS 设置将传递给 VM。对于SDN,无论是否使用NFV,SDN控制器都负责为各种网络用户实施QoS参数。

QoS measures are commonly used to specify the service required by various network customers or users and to dictate the traffic management policies used on the network. The common case, until recently, is that QoS was implemented on network that used neither NFV nor SDN. In this case, routing and traffic control policies must be configured directly on network devices using a variety of automated and manual techniques. If NFV but not SDN is implemented, the QoS settings are communicated to the VMs. With SDN, regardless of whether NFV is used, it is the SDN controller that is responsible for enforcing QoS parameters for the various network users.

 

如果考虑 QoE,则可以使用这些参数来调整 QoS 参数以满足用户的 QoE 要求。

If QoE considerations come into play, these are used to adjust QoS parameters to satisfy the users’ QoE requirements.

 

2.8 关键术语

2.8 Key Terms

 

完成本章后,您应该能够定义以下术语。

After completing this chapter, you should be able to define the following terms.

 

分析

analytics

 

自治系统

autonomous system

 

大数据

big data

 

云计算

cloud computing

 

拥塞

congestion

 

延迟抖动

delay jitter

 

弹性流量

elastic traffic

 

外部路由器协议 (ERP)

exterior router protocol (ERP)

 

交通缺乏弹性

inelastic traffic

 

内部路由器协议 (IRP)

interior router protocol (IRP)

 

互联网

internet

 

互联网

Internet

 

网络功能虚拟化 (NFV)

network functions virtualization (NFV)

 

运营支持系统(OSS)

operations support system (OSS)

 

数据包转发

packet forwarding

 

体验质量 (QoE)

quality of experience (QoE)

 

服务质量(QoS)

quality of service (QoS)

 

实时路况

real-time traffic

 

路由器

router

 

路由

routing

 

路由协议

routing protocol

 

软件定义网络(SDN)

software-defined networking (SDN)

 

虚拟机(VM)

virtual machine (VM)

 

2.9 参考文献

2.9 References

 

AKAM15阿卡迈技术。Akamai 的互联网状况。Akamai 报告,2014 年第四季度。2015年。

AKAM15: Akamai Technologies. Akamai’s State of the Internet. Akamai Report, Q4|2014. 2015.

 

CISC14思科系统。思科视觉网络指数:预测和方法,2013-2018 年。白皮书,2014 年。

CISC14: Cisco Systems. Cisco Visual Networking Index: Forecast and Methodology, 2013–2018. White Paper, 2014.

 

IBM11 IBM 研究,“我们每天都会创建 2.5 Quintillion 字节的数据。” 存储通讯,2011 年 10 月 21 日。http: //www.storagenewsletter.com/rubriques/market-reportsresearch/ibm-cmo-study/

IBM11: IBM Study, “Every Day We Create 2.5 Quintillion Bytes of Data.” Storage Newsletter, October 21, 2011. http://www.storagenewsletter.com/rubriques/market-reportsresearch/ibm-cmo-study/

 

ITUT12 ITU-T。云计算焦点小组技术报告第3部分:云基础设施的需求和框架架构。FG 云 TR,2012 年 2 月。

ITUT12: ITU-T. Focus Group on Cloud Computing Technical Report Part 3: Requirements and Framework Architecture of Cloud Infrastructure. FG Cloud TR, February 2012.

 

KAND12 Kandula, A.、Sengupta, S. 和 Patel, P.“数据中心流量的本质:测量和分析”。ACM SIGCOMM 互联网测量会议,2009 年 11 月。

KAND12: Kandula, A., Sengupta, S., and Patel, P. “The Nature of Data Center Traffic: Measurements and Analysis.” ACM SIGCOMM Internet Measurement Conference, November 2009.

 

NETW14网络世界。大数据对网络性能影响的生存技巧。白皮书。2014 年 4 月。

NETW14: Network World. Survival Tips for Big Data’s Impact on Network Performance. White paper. April 2014.

 

SZIG14 Szigeti, T.、Hattingh, C.、Barton, R. 和 Briley, K。端到端 QoS 网络设计:富媒体和云网络的服务质量。新泽西州恩格尔伍德悬崖:皮尔逊。2014年。

SZIG14: Szigeti, T., Hattingh, C., Barton, R., and Briley, K. End-to-End QoS Network Design: Quality of Service for Rich-Media & Cloud Networks. Englewood Cliffs, NJ: Pearson. 2014.

 

第二部分:软件定义网络

Part II: Software-Defined Networks

 

一个人的愿景是修建一条连接所有干线铁路终点站的铁路。他的名字叫查尔斯·皮尔逊(Charles Pearson),虽然出生于室内装潢商的儿子,但后来成为伦敦市的律师。此前曾有一项计划,修建煤气灯照明的地铁街道,供马车通过。但这一提议被拒绝了,理由是这种险恶的隧道会成为窃贼的潜伏地。在他的系统建成二十年前,皮尔逊设想了一条穿过“宽敞的拱门”的线路,光线充足,通风良好。

One man had a vision of railways that would link all the mainline railroad termini. His name was Charles Pearson and, though born the son of an upholsterer, he became Solicitor to the city of London. There had previously been a plan for gaslit subway streets through which horse-drawn traffic could pass. This was rejected on the grounds that such sinister tunnels would become lurking places for thieves. Twenty years before his system was built, Pearson envisaged a line running through “a spacious archway,” well-lit and well-ventilated.

 

他的计划是在下水道中修建火车。

His was a scheme for trains in a drain.

 

—— 《所罗门王的地毯》,芭芭拉·维恩(露丝·伦德尔饰演)

King Solomon’s Carpet, Barbara Vine (Ruth Rendell)

 

第 3 章: SDN:背景和动机

CHAPTER 3: SDN: Background and Motivation

 

第 4 章: SDN 数据平面和 OpenFlow

CHAPTER 4: SDN Data Plane and OpenFlow

 

第 5 章: SDN 控制平面

CHAPTER 5: SDN Control Plane

 

第 6 章: SDN 应用平面

CHAPTER 6: SDN Application Plane

 

现代网络的核心是软件定义网络(SDN)。第二部分致力于广泛而彻底地介绍 SDN 概念、技术和应用。第 3 章首先阐述什么是 SDN 方法以及为什么需要它,并概述了 SDN 架构。本章还介绍了发布 SDN 规范和标准的组织。第 4 章详细介绍了 SDN 数据平面,包括关键组件、它们如何交互以及如何管理它们。本章的大部分内容专门讨论 OpenFlow,这是一种重要的数据平面技术以及控制平面的接口。本章解释了为什么需要 OpenFlow,然后提供详细的技术解释。第 5 章专门介绍 SDN 控制平面。其中包括对 OpenDaylight 的讨论,OpenDaylight 是控制平面的重要开源实现。第 6 章介绍了 SDN 应用平面。除了考察一般的SDN应用平面架构之外,本章还讨论了SDN可以支持的六大应用领域,并提供了许多SDN应用示例。

The heart of modern networking is software-defined networking (SDN). Part II is devoted to a broad and thorough presentation of SDN concepts, technology, and applications. Chapter 3 begins the discussion by laying out what the SDN approach is and why it is needed, and provides an overview of the SDN architecture. This chapter also looks at the organizations that are issuing specifications and standards for SDN. Chapter 4 is a detailed look at the SDN data plane, including the key components, how they interact, and how they are managed. Much of the chapter is devoted to OpenFlow, a vital data plane technology as well as an interface to the control plane. The chapter explains why OpenFlow is needed and then proceeds to provide a detailed technical explanation. Chapter 5 is devoted to the SDN control plane. It includes a discussion of OpenDaylight, an important open source implementation of the control plane. Chapter 6 covers the SDN application plane. In addition to examining the general SDN application plane architecture, the chapter discusses six major application areas that can be supported by SDN and provides a number of examples of SDN applications.

 

第 3 章SDN:背景和动机

Chapter 3. SDN: Background and Motivation

 

考虑未来全数字数据分布式网络的需求,为具有不同需求的广泛用户提供共同的用户服务。标准格式消息块的使用允许使用自适应存储转发路由策略来构建相对简单的交换机制,以处理包括“实时”语音在内的所有形式的数字数据。该网络能够快速响应网络状态的变化。

The requirements for a future all-digital-data distributed network which provides common user service for a wide range of users having different requirements is considered. The use of a standard format message block permits building relatively simple switching mechanisms using an adaptive store-and-forward routing policy to handle all forms of digital data including “real-time” voice. This network rapidly responds to changes in network status.

 

—《论分布式通信:分布式通信网络简介》,

兰德报告 RM-3420-PR,Paul Baran,1964 年 8 月

—On Distributed Communications: Introduction to Distributed Communications Networks,

Rand Report RM-3420-PR, Paul Baran, August 1964

 

本章目标 学习完本章后,您应该能够

 

图像进行演示,证明传统网络架构不足以满足现代网络需求。

 

图像列出并解释 SDN 架构的关键要求。

 

图像概述 SDN 架构,包括解释北向和南向 API 的重要性。

 

图像总结各个组织在 SDN 和 NFV 标准化方面所做的工作。

 

Chapter Objectives: After studying this chapter, you should be able to

 

Make a presentation justifying the position that traditional network architectures are inadequate for modern networking needs.

 

List and explain the key requirements for an SDN architecture.

 

Present an overview of an SDN architecture, to include explaining the significance of northbound and southbound APIs.

 

Summarize the work being done on SDN and NFV standardization by various organizations.

 
 

本章通过提供 SDN 方法的一些背景和动机来开始讨论软件定义网络 (SDN)。

This chapter begins the discussion of software-defined networks (SDNs) by providing some background and motivation for the SDN approach.

 

3.1 不断发展的网络需求

3.1 Evolving Network Requirements

 

许多趋势正在推动网络提供商和用户重新评估传统的网络架构方法。这些趋势可以分为需求、供应和流量模式类别。

A number of trends are driving network providers and users to reevaluate traditional approaches to network architecture. These trends can be grouped under the categories of demand, supply, and traffic patterns.

 

需求不断增加

Demand Is Increasing

 

正如第 2 章要求和技术”中所述,许多趋势正在增加企业网络、互联网和其他互联网的负载。特别值得注意的是:

As was described in Chapter 2, “Requirements and Technology,” a number of trends are increasing the load on enterprise networks, the Internet, and other internets. Of particular note are the following:

 

图像 云计算:企业向公共云和私有云服务发生了巨大的转变。

Cloud computing: There has been a dramatic shift by enterprises to both public and private cloud services.

 

图像 大数据:庞大数据集的处理需要在数千台服务器上进行大规模并行处理,所有这些服务器都需要一定程度的相互互连。因此,数据中心内对网络容量的需求巨大且不断增长。

Big data: The processing of huge data sets requires massive parallel processing on thousands of servers, all of which require a degree of interconnection to each other. Therefore, there is a large and constantly growing demand for network capacity within the data canter.

 

图像 移动流量:员工越来越多地通过智能手机、平板电脑和笔记本电脑等移动个人设备访问企业网络资源。这些设备支持复杂的应用程序,这些应用程序可以消耗和生成图像和视频流量,从而给企业网络带来新的负担。

Mobile traffic: Employees are increasingly accessing enterprise network resources via mobile personal devices, such as smartphones, tablets, and notebooks. These devices support sophisticated apps that can consume and generate image and video traffic, placing new burdens on the enterprise network.

 

图像 物联网 (IoT):物联网中的大多数“物体”都会产生适度的流量,但也有例外,例如监控摄像机。但对于一些企业来说,此类设备数量庞大,导致企业网络负载过重。

The Internet of Things (IoT): Most “things” in the IoT generate modest traffic, although there are exceptions, such as surveillance video cameras. But the sheer number of such devices for some enterprises results in a significant load on the enterprise network.

 

供应正在增加

Supply Is Increasing

 

随着网络需求的不断增长,网络技术吸收不断增长的负载的能力也在不断提高。在传输技术方面,第 1 章现代网络的要素”指出,关键的企业有线和无线网络技术(分别是以太网和 Wi-Fi)均已达到千兆位每秒 (Gbps) 范围。同样,4G 和 5G 蜂窝网络为通过蜂窝网络而不是 Wi-Fi 访问企业网络的远程员工的移动设备提供了更大的容量。

As the demand on networks is rising, so is the capacity of network technologies to absorb rising loads. In terms of transmission technology, Chapter 1, “Elements of Modern Networking,” established that the key enterprise wired and wireless network technologies, Ethernet and Wi-Fi respectively, are well into the gigabits per second (Gbps) range. Similarly, 4G and 5G cellular networks provide greater capacity for mobile devices from remote employees who access the enterprise network via cellular networks rather than Wi-Fi.

 

网络传输技术容量的增加与网络设备性能的提高相匹配,例如局域网交换机、路由器、防火墙、入侵检测系统/入侵防御系统(IDS/IPS)、以及网络监控和管理系统。年复一年,这些设备拥有更大、更快的内存,从而实现更大的缓冲区容量和更快的缓冲区访问以及更快的处理器速度。

The increase in the capacity of the network transmission technologies has been matched by an increase in the performance of network devices, such as LAN switches, routers, firewalls, intrusion detection system/intrusion prevention systems (IDS/IPS), and network monitoring and management systems. Year by year, these devices have larger, faster memories, enabling greater buffer capacity and faster buffer access, as well as faster processor speeds.

 

流量模式更加复杂

Traffic Patterns Are More Complex

 

如果这只是一个供需问题,那么今天的网络应该能够应对今天的数据流量。但随着流量模式发生变化并变得更加复杂,传统的企业网络架构越来越不能适应需求。

If it were simply a matter of supply and demand, it would appear that today’s networks should be able to cope with today’s data traffic. But as traffic patterns have changed and become more complex, traditional enterprise network architectures are increasingly ill suited to the demand.

 

直到最近,并且在今天仍然很常见,典型的企业网络架构由本地或园区范围内的以太网交换机树形结构以及连接大型以太网 LAN 并连接到互联网和广域网设施的路由器组成。这种架构非常适合一度在企业环境中占据主导地位的客户端/服务器计算模型。在这种模型中,交互以及流量主要发生在一个客户端和一台服务器之间。在这样的环境中,可以使用相对静态的客户端和服务器位置以及客户端和服务器之间相对可预测的流量来布局和配置网络。

Until recently, and still common today, the typical enterprise network architecture consisted of a local or campus-wide tree structure of Ethernet switches with routers connecting large Ethernet LANs and connecting to the Internet and WAN facilities. This architecture is well suited to the client/server computing model that was at one time dominant in the enterprise environment. With this model, interaction, and therefore traffic, was mostly between one client and one server. In such an environment, networks could be laid out and configured with relatively static client and server locations and relatively predictable traffic volumes between clients and servers.

 

许多发展导致企业数据中心、本地和区域企业网络以及运营商网络内的流量模式更加动态和复杂。其中包括以下内容:

A number of developments have resulted in far more dynamic and complex traffic patterns within the enterprise data center, local and regional enterprise networks, and carrier networks. These include the following:

 

图像客户端/服务器应用程序通常访问必须相互通信的多个数据库和服务器,从而在服务器之间产生“水平”流量以及服务器和客户端之间的“垂直”流量。

Client/server applications typically access multiple databases and servers that must communicate with each other, generating “horizontal” traffic between servers as well as “vertical” traffic between servers and clients.

 

图像语音、数据和视频流量的网络融合会产生不可预测的流量模式,通常是大型多媒体数据传输。

Network convergence of voice, data, and video traffic creates unpredictable traffic patterns, often of large multimedia data transfers.

 

图像统一通信 (UC) 策略涉及大量使用触发对多个服务器的访问的应用程序。

Unified communications (UC) strategies involve heavy use of applications that trigger access to multiple servers.

 

图像移动设备的大量使用,包括个人自带设备 (BYOD) 策略,导致用户可以随时随地从任何设备访问公司内容和应用程序。正如之前第 2 章中的图 2.6所示,这种移动流量正在成为企业网络流量中越来越重要的一部分。

The heavy use of mobile devices, including personal bring your own device (BYOD) policies, results in user access to corporate content and applications from any device anywhere any time. As illustrated previously in Figure 2.6 in Chapter 2, this mobile traffic is becoming an increasingly significant fraction of enterprise network traffic.

 

图像公共云的广泛使用已将许多企业以前的本地流量转移到 WAN 上,导致企业路由器上的负载增加且通常非常不可预测。

The widespread use of public clouds has shifted a significant amount of what previously had been local traffic onto WANs for many enterprises, resulting in increased and often very unpredictable loads on enterprise routers.

 

图像现在应用程序和数据库服务器虚拟化的普遍做法显着增加了需要大量网络访问的主机数量,并导致服务器资源的物理位置不断变化。

The now-common practice of application and database server virtualization has significantly increased the number of hosts requiring high-volume network access and results in every-changing physical location of server resources.

 

传统网络架构不够用

Traditional Network Architectures are Inadequate

 

即使传输方案容量更大、网络设备性能更高,传统的网络架构在面对日益增长的复杂性、可变性和大容量的施加负载时也越来越不够用。此外,随着应用的多样性对网络的服务质量(QoS)和体验质量(QoE)要求不断扩大,流量负载必须以日益复杂和敏捷的方式处理。

Even with the greater capacity of transmission schemes and the greater performance of network devices, traditional network architectures are increasingly inadequate in the face of the growing complexity, variability, and high volume of the imposed load. In addition, as quality of service (QoS) and quality of experience (QoE) requirements imposed on the network are expanded as a result of the variety of applications, the traffic load must be handled in an increasingly sophisticated and agile fashion.

 

传统的网络互联方法是基于TCP/IP 协议架构的。这种方法的三个值得注意的特点如下:

The traditional internetworking approach is based on the TCP/IP protocol architecture. Three noteworthy characteristics of this approach are as follows:

 

图像两级终端系统寻址

Two-level end system addressing

 

围绕 TCP 和 IP 协议构建的协议体系结构,由五层组成:物理层、数据链路层、网络/互联网(通常是 IP)、传输层(通常是 TCP 或 UDP)和应用程序。

The protocol architecture built around the TCP and IP protocols, consisting of five layers: physical, data link, network/Internet (usually IP), transport (usually TCP or UDP), and application.

 

图像基于目的地的路由

Routing based on destination

 

图像分布式、自主控制

Distributed, autonomous control

 

让我们依次看看这些特征。

Let’s look at each of these characteristics in turn.

 

传统架构严重依赖网络接口标识。在 TCP/IP 模型的物理层,连接到网络的设备由基于硬件的标识符(例如以太网 MAC 地址)来标识。在互联网层面,包括互联网和私有互联网,其架构是一个网络的网络。每个连接的设备都有一个在其直接网络中识别的物理层标识符和一个逻辑网络标识符,即其 IP 地址,提供全局可见性。

The traditional architecture relies heavily on the network interface identity. At the physical layer of the TCP/IP model, devices attached to networks are identified by hardware-based identifiers, such as Ethernet MAC addresses. At the internetworking level, including both the Internet and private internets, the architecture is a network of networks. Each attached device has a physical layer identifier recognized within its immediate network and a logical network identifier, its IP address, which provides global visibility.

 

TCP/IP 的设计使用这种寻址方案来支持具有分布式控制的自治网络的联网。该架构提供了高水平的弹性,并且在添加新网络方面具有良好的扩展性。使用 IP 和分布式路由协议,可以在整个互联网上发现和使用路由。使用 TCP 等传输层协议,可以实现分布式和分散式算法来响应拥塞。

The design of TCP/IP uses this addressing scheme to support the networking of autonomous networks, with distributed control. This architecture provides a high level of resilience and scales well in terms of adding new networks. Using IP and distributed routing protocols, routes can be discovered and used throughout an internet. Using transport-level protocols such as TCP, distributed and decentralized algorithms can be implemented to respond to congestion.

 

传统上,路由基于每个数据包的目标地址。在这种数据报方法中,源和目的地之间的连续数据包可能遵循不同的互联网路由,因为路由器不断寻求为每个单独的数据包找到最小延迟路径。最近,为了满足 QoS 要求,通常按照数据包来处理数据包。与给定流关联的数据包具有定义的 QoS 特征,这会影响整个流的路由。

Traditionally, routing was based on each packet’s destination address. In this datagram approach, successive packets between a source and destination may follow different routes through the internet, as routers constantly seek to find the minimum-delay path for each individual packet. More recently, to satisfy QoS requirements, packets are often treated in terms of flows of packets. Packets associated with a given flow have defined QoS characteristics, which affect the routing for the entire flow.

 

独立于其他数据包进行数据包交换处理的数据包。数据报携带足以从源路由到目的地的信息,而无需在端点之间建立逻辑连接。

A packet that is treated independently of other packets for packet switching. A datagram carries information sufficient for routing from the source to the destination without the necessity of establishing a logical connection between the endpoints.

 

通过网络发送的数据单元。数据包是一组包含数据和协议控制信息的位。该术语通常适用于网络层的协议数据单元。

A unit of data sent across a network. A packet is a group of bits that includes data plus protocol control information. The term generally applies to protocol data units at the network layer.

 

源和目的地之间的数据包序列,网络将其识别为相关并以统一方式进行处理。

A sequence of packets between a source and destination that are recognized by the network as related and are treated in a uniform fashion.

 

一种通过通信网络传输消息的方法,其中长消息被细分为短数据包。每个数据包都通过中间节点从源传递到目的地。在每个节点,整个消息被接收,短暂存储,然后转发到下一个节点。

A method of transmitting messages through a communications network, in which long messages are subdivided into short packets. Each packet is passed from source to destination through intermediate nodes. At each node, the entire message is received, stored briefly, and then forwarded to the next node.

 

然而,这种分布式、自治的方法是在网络主要是静态的且终端系统主要是固定位置的情况下发展起来的。基于这些特征,开放网络基金会(ONF)列举了传统网络架构的四个一般局限性[ ONF12 ]:

However, this distributed, autonomous approach developed when networks were predominantly static and end systems predominantly of fixed location. Based on these characteristics, the Open Networking Foundation (ONF) cites four general limitations of traditional network architectures [ONF12]:

 

图像 静态、复杂的架构:为了满足不同级别的 QoS、高且波动的流量以及安全要求等需求,网络技术变得更加复杂且难以管理。这导致了许多独立定义的协议,每个协议都解决了部分网络需求。这种困难的一个例子是添加或移动设备时。网络管理人员必须使用设备级管理工具来更改多个交换机、路由器、防火墙、Web认证门户等的配置参数。这些更新包括对访问控制列表 (ACL)、虚拟 LAN 设置、众多设备中的 QoS 设置的更改以及其他与协议相关的调整。另一个例子是调整 QoS 参数以满足不断变化的用户需求和流量模式。

Static, complex architecture: To respond for demands such as differing levels of QoS, high and fluctuating traffic volumes, and security requirements, networking technology has grown more complex and difficult to manage. This has resulted in a number of independently defined protocols each of which addresses a portion of networking requirements. An example of the difficulty this presents is when devices are added or moved. The network management staff must use device-level management tools to make changes to configuration parameters in multiple switches, routers, firewalls, web authentication portals, and so on. The updates include changes to access control lists (ACLs), virtual LAN settings, QoS settings in numerous devices, and other protocol-related adjustments. Another example is the adjustment of QoS parameters to meet changing user requirements and traffic patterns. Manual procedures must be used to configure each vendor’s equipment on a per-application and even per-session basis.

 

图像 不一致的策略:为了实施全网络的安全策略,工作人员可能必须对数千个设备和机制进行配置更改。在大型网络中,当激活新虚拟机时,可能需要数小时甚至数天的时间来重新配置整个网络的 ACL。

Inconsistent policies: To implement a network-wide security policy, staff may have to make configuration changes to thousands of devices and mechanisms. In a large network, when a new virtual machine is activated, it can take hours or even days to reconfigure ACLs across the entire network.

 

图像 无法扩展:对网络的需求无论是数量还是种类都在快速增长。由于网络的复杂性、静态性,添加更多交换机和传输容量(涉及多个供应商设备)非常困难。企业使用的一种策略是根据预测的流量模式超额订阅网络链接。但随着虚拟化使用的增加和多媒体应用程序的日益多样化,流量模式变得不可预测。

Inability to scale: Demands on networks are growing rapidly, both in volume and variety. Adding more switches and transmission capacity, involving multiple vendor equipment, is difficult because of the complex, static nature of the network. One strategy enterprises have used is to oversubscribe network links based on predicted traffic patterns. But with the increased use of virtualization and the increasing variety of multimedia applications, traffic patterns are unpredictable.

 

图像 供应商依赖性:鉴于当今网络流量需求的性质,企业和运营商需要快速部署新功能和服务,以响应不断变化的业务需求和用户需求。由于缺乏网络功能的开放接口,企业受到供应商设备相对较慢的产品周期的限制。

Vendor dependence: Given the nature of today’s traffic demands on networks, enterprises and carriers need to deploy new capabilities and services rapidly in response to changing business needs and user demands. A lack of open interfaces for network functions leaves the enterprises limited by the relatively slow product cycles of vendor equipment.

 

3.2 SDN 方法

3.2 The SDN Approach

 

本节概述 SDN 并展示它是如何设计来满足不断变化的网络需求的。

This section provides an overview of SDN and shows how it is designed to meet evolving network requirements.

 

要求

Requirements

 

根据第 3.1 节的叙述,我们现在可以详细说明现代网络方法的主要要求。开放数据中心联盟 (ODCA) 提供了有用、简明的要求列表,其中包括以下内容 [ ODCA14 ]:

Based on the narrative of Section 3.1, we are now in a position to detail the principal requirements for a modern networking approach. The Open Data Center Alliance (ODCA) provides a useful, concise list of requirements, which include the following [ODCA14]:

 

图像 适应性:网络必须根据应用程序需求、业务策略和网络条件动态调整和响应。

Adaptability: Networks must adjust and respond dynamically, based on application needs, business policy, and network conditions.

 

图像 自动化:策略更改必须自动传播,以便减少手动工作和错误。

Automation: Policy changes must be automatically propagated so that manual work and errors can be reduced.

 

图像 可维护性。新特性和功能(软件升级、补丁)的引入必须是无缝的,并且对运营的干扰最小。

Maintainability. Introduction of new features and capabilities (software upgrades, patches) must be seamless with minimal disruption of operations.

 

图像 模型管理:网络管理软件必须允许在模型级别管理网络,而不是通过重新配置各个网络元素来实现概念更改。

Model management: Network management software must allow management of the network at a model level, rather than implementing conceptual changes by reconfiguring individual network elements.

 

图像 移动性:控制功能必须适应移动性,包括移动用户设备和虚拟服务器。

Mobility: Control functionality must accommodate mobility, including mobile user devices and virtual servers.

 

图像 集成安全性:网络应用程序必须将无缝安全性集成为核心服务,而不是附加解决方案。

Integrated security: Network applications must integrate seamless security as a core service instead of as an add-on solution.

 

图像 按需扩展:实施必须能够扩展或缩小网络及其服务以支持按需请求。

On-demand scaling: Implementations must have the ability to scale up or scale down the network and its services to support on-demand requests.

 

SDN架构

SDN Architecture

 

计算从封闭、垂直集成、专有系统发展为开放计算方法的方式与SDN带来的演变之间可以进行类比(见图3.1 。在计算的最初几十年中,IBM 和 DEC 等供应商提供了完全集成的产品,具有专有的处理器硬件、独特的汇编语言、独特的操作系统 (OS) 以及大量(如果不是全部)应用软件。在这种环境中,客户,尤其是大客户,往往会被锁定到一个供应商,主要依赖于该供应商提供的应用程序。迁移到其他供应商的硬件平台导致应用程序级别发生重大变化。

An analogy can be drawn between the way in which computing evolved from closed, vertically integrated, proprietary systems into an open approach to computing and the evolution coming with SDN (see Figure 3.1). In the early decades of computing, vendors such as IBM and DEC provided a fully integrated product, with a proprietary processor hardware, unique assembly language, unique operating system (OS), and the bulk if not all of the application software. In this environment, customers, especially large customers, tended to be locked in to one vendor, dependent primarily on the applications offered by that vendor. Migration to another vendor’s hardware platform resulted in major upheaval at the application level.

 
图像

图 3.1现代计算和网络方法

FIGURE 3.1 The Modern Approach to Computing and Networking

 

如今,计算环境的特点是极度开放和极大的客户灵活性。大部分计算硬件由用于独立系统的 x86 和 x86 兼容处理器以及用于嵌入式系统的 ARM 处理器组成。这使得移植用 C、C++、Java 等实现的操作系统变得容易。即使专有硬件架构(例如 IBM 的 zEnterprise 系列)也提供标准化编译器和编程环境,因此可以轻松运行 Linux 等开源操作系统。因此,为 Linux 或其他开放操作系统编写的应用程序可以轻松地从一个供应商平台转移到另一个供应商平台。即使是 Windows 和 Mac OS 等专有系统也提供了编程环境,使应用程序的移植变得容易。

Today, the computing environment is characterized by extreme openness and great customer flexibility. The bulk of computing hardware consists of x86 and x86-compatible processors for standalone systems and ARM processors for embedded systems. This makes it easy to port operating systems implemented in C, C++, Java, and the like. Even proprietary hardware architectures, such as IBM’s zEnterprise line, provide standardized compilers and programming environments and so can easily run open sources operating systems such as Linux. Therefore, applications written for Linux or other open operating systems can easily be moved from one vendor platform to another. Even proprietary systems such as Windows and Mac OS provide programming environments to make porting of applications an easy matter. It also enables the development of virtual machines that can be moved from one server to another across hardware platforms and operating systems.

 

今天的网络环境面临着一些与前开放计算时代相同的限制。这里的问题不在于开发可以在多个平台上运行的应用程序。相反,困难在于应用程序和网络基础设施之间缺乏集成。如上一节所示,传统的网络架构不足以满足不断增长的流量和流量种类的需求。

The networking environment today faces some of the same limitations faced in the pre-open era of computing. Here the issue is not developing applications that can run on multiple platforms. Rather, the difficulty is the lack of integration between applications and network infrastructure. As demonstrated in the preceding section, traditional network architectures are inadequate to meet the demands of the growing volume and variety of traffic.

 

SDN 背后的核心概念是让开发人员和网络管理员能够像对 x86 服务器一样对网络设备进行控制。正如第 2章 2.6 节中所讨论的,SDN 方法将位于不同设备上的数据平面和控制平面之间的交换功能分开(见图3.2) 。)。数据平面仅负责转发数据包,而控制平面则提供设计路由、设置优先级和路由策略参数的“智能”,以满足 QoS 和 QoE 要求并应对不断变化的流量模式。定义开放接口,以便交换硬件呈现统一的接口,而不管内部实现的细节。同样,开放接口的定义是为了使网络应用程序能够与 SDN 控制器进行通信。

The central concept behind SDN is to enable developers and network managers to have the same type of control over network equipment that they have had over x86 servers. As discussed in Section 2.6 in Chapter 2, the SDN approach splits the switching function between a data plane and a control plane that are on separate devices (see Figure 3.2). The data plane is simply responsible for forwarding packets, whereas the control plane provides the “intelligence” in designing routes, setting priority and routing policy parameters to meet QoS and QoE requirements and to cope with the shifting traffic patterns. Open interfaces are defined so that the switching hardware presents a uniform interface regardless of the details of internal implementation. Similarly, open interfaces are defined to enable networking applications to communicate with the SDN controllers.

 
图像

图 3.2控制平面和数据平面

FIGURE 3.2 Control and Data Planes

 

图像 参见图 2.15,软件定义网络

See Figure 2.15, Software Defined Networking

 

图 3.3详细阐述了图 2.15所示的结构,显示了 SDN 方法的更多细节。数据平面由物理交换机和虚拟交换机组成。在这两种情况下,交换机都负责转发数据包。缓冲区、优先级参数和其他与转发相关的数据结构的内部实现可能取决于供应商。然而,每个交换机必须实现一个统一的、对 SDN 控制器开放的数据包转发模型或抽象。该模型是根据控制平面和数据平面(南向 API )之间的开放应用程序编程接口(API)来定义的。这种开放 API 的最突出的例子是 OpenFlow,第 4 章中对此进行了讨论、“ SDN 数据平面和 OpenFlow ”。正如第 4 章所述,OpenFlow 规范定义了控制平面和数据平面之间的协议,以及控制平面可以调用 OpenFlow 协议的 API。

Figure 3.3 elaborates on the structure shown in Figure 2.15, showing more detail of the SDN approach. The data plane consists of physical switches and virtual switches. In both cases, the switches are responsible for forwarding packets. The internal implementation of buffers, priority parameters, and other data structures related to forwarding can be vendor dependent. However, each switch must implement a model, or abstraction, of packet forwarding that is uniform and open to the SDN controllers. This model is defined in terms of an open application programming interface (API) between the control plane and the data plane (southbound API). The most prominent example of such an open API is OpenFlow, discussed in Chapter 4, “SDN Data Plane and OpenFlow.” As Chapter 4 explains, the OpenFlow specification defines both a protocol between the control and data planes and an API by which the control plane can invoke the OpenFlow protocol.

 
图像

图 3.3软件定义的架构

FIGURE 3.3 Software-Defined Architecture

 

应用程序用来与操作系统或某些其他控制程序(例如数据库管理系统 (DBMS) 或通信协议)进行通信的语言和消息格式。API 是通过在程序中编写函数调用来实现的,它提供了执行所需子例程的链接。开放或标准化的API可以确保应用程序代码的可移植性和被调用服务的供应商独立性。

A language and message format used by an application program to communicate with the operating system or some other control program such as a database management system (DBMS) or communications protocol. APIs are implemented by writing function calls in the program, which provide the linkage to the required subroutine for execution. An open or standardized API can ensure the portability of the application code and the vendor independence of the called service.

 

SDN控制器可以直接在服务器或虚拟服务器上实现。OpenFlow 或其他一些开放 API 用于控制数据平面中的交换机。此外,控制器还使用从流量流经的网络设备获得的有关容量和需求的信息。SDN 控制器还公开北向 API,允许开发人员和网络管理员部署各种现成的和定制的网络应用程序,其中许多应用程序在 SDN 出现之前是不可行的。目前还没有标准化的北向API,也没有关于开放北向API的共识。许多供应商提供基于表述性状态传输 (REST) 的 API,为其 SDN 控制器提供可编程接口。

SDN controllers can be implemented directly on a server or on a virtual server. OpenFlow or some other open API is used to control the switches in the data plane. In addition, controllers use information about capacity and demand obtained from the networking equipment through which the traffic flows. SDN controllers also expose northbound APIs, which allow developers and network managers to deploy a wide range of off-the-shelf and custom-built network applications, many of which were not feasible before the advent of SDN. As yet there is no standardized northbound API nor a consensus on an open northbound API. A number of vendors offer a REpresentational State Transfer (REST)-based API to provide a programmable interface to their SDN controller.

 

图像 请参阅第 5 章SDN 控制平面

See Chapter 5, “SDN Control Plane

 

还设想但尚未定义的是水平 API(东/西向),这将使控制器组或联盟之间能够进行通信和合作,以同步状态以实现高可用性。

Also envisioned but not yet defined are horizontal APIs (east/westbound), which would enable communication and cooperation among groups or federations of controllers to synchronize state for high availability.

 

在应用层面有各种与SDN控制器交互的应用程序。SDN 应用程序是可以使用网络抽象视图来实现其决策目标的程序。这些应用程序通过北向 API 将其网络要求和所需的网络行为传达给 SDN 控制器。应用示例包括节能网络、安全监控、访问控制和网络管理。

At the application plane are a variety of applications that interact with SDN controllers. SDN applications are programs that may use an abstract view of the network for their decision-making goals. These applications convey their network requirements and desired network behavior to the SDN controller via a northbound API. Examples of applications are energy-efficient networking, security monitoring, access control, and network management.

 

软件定义网络的特点

Characteristics of Software-Defined Networking

 

综上所述,SDN 的主要特征如下:

Putting it all together, the key characteristics of SDN are as follows:

 

图像控制平面与数据平面分离。数据平面设备成为简单的数据包转发设备(参见图3.2)。

The control plane is separated from the data plane. Data plane devices become simple packet-forwarding devices (refer back to Figure 3.2).

 

图像控制平面在一个集中控制器或一组协调的集中控制器中实现。SDN 控制器具有其控制下的一个或多个网络的集中视图。该控制器是可在商用服务器上运行的便携式软件,并且能够基于网络的集中视图对转发设备进行编程。

The control plane is implemented in a centralized controller or set of coordinated centralized controllers. The SDN controller has a centralized view of the network or networks under its control. The controller is portable software that can run on commodity servers and is capable of programming the forwarding devices based on a centralized view of the network.

 

图像开放接口是在控制平面(控制器)中的设备和数据平面中的设备之间定义的。

Open interfaces are defined between the devices in the control plane (controllers) and those in the data plane.

 

图像该网络可由运行在 SDN 控制器之上的应用程序进行编程。SDN 控制器向应用程序提供网络资源的抽象视图。

The network is programmable by applications running on top of the SDN controllers. The SDN controllers present an abstract view of network resources to the applications.

 

3.3 SDN和NFV相关标准

3.3 SDN- and NFV-Related Standards

 

与 Wi-Fi 等某些技术领域不同,没有单一标准机构负责开发SDN 和 NFV 的开放标准。相反,有大量不断发展的标准开发组织 (SDO)、行业联盟和开放开发计划参与为 SDN 和 NFV 创建标准和指南。表 3.1列出了参与这项工作的主要 SDO 和其他组织以及迄今为止取得的主要成果。本节涵盖了一些最突出的努力。

Unlike some technology areas, such as Wi-Fi, there is no single standards body responsible for developing open standards for SDN and NFV. Rather, there is a large and evolving collection of standards-developing organizations (SDOs), industrial consortia, and open development initiatives involved in creating standards and guidelines for SDN and NFV. Table 3.1 lists the main SDOs and other organizations involved in the effort and the main outcomes so far produced. This section covers some of the most prominent efforts.

 
图像
图像

表 3.1 SDN 和 NFV 开放标准活动

TABLE 3.1 SDN and NFV Open Standards Activities

 

提供可一致使用的要求、规范、指南或特征的文件,以确保材料、产品、流程和服务适合其目的。标准是由参与标准制定组织的人员协商一致制定的,并由公认的机构批准。

Documents that provide requirements, specifications, guidelines, or characteristics that can be used consistently to ensure that materials, products, processes, and services are fit for their purpose. Standards are established by consensus among those participating in a standards-making organization and are approved by a generally recognized body.

 

该标准是: 在所有相关方都可以使用的开放决策程序的基础上制定的,可以在免版税的基础上供所有人实施,并且旨在促进多个供应商的产品之间的互操作性。

A standard that is: developed on the basis of an open decision-making procedure available to all interested parties, is available for implementation to all on a royalty-free basis, and is intended to promote interoperability among products from multiple vendors.

 

标准制定组织

Standards-Developing Organizations

 

互联网协会、ITU-T 和 ETSI 都为 SDN 和 NFV 的标准化做出了重要贡献。

The Internet Society, ITU-T, and ETSI are all making key contributions to the standardization of SDN and NFV.

 
互联网协会
 

许多标准开发组织 (SDO)正在研究 SDN 的各个方面。也许最活跃的是互联网协会 (ISOC) 内的两个组织:IETF 和 IRTF。ISOC 是互联网设计、工程和管理的协调委员会。涵盖的领域包括互联网本身的运营以及互联网上终端系统用于互操作性的协议标准化。ISOC下属各组织负责标准制定和发布的实际工作。

A number of standards-developing organizations (SDOs) are looking at various aspects of SDN. Perhaps the most active are two groups within the Internet Society (ISOC): IETF and IRTF. ISOC is the coordinating committee for Internet design, engineering, and management. Areas covered include the operation of the Internet itself and the standardization of protocols used by end systems on the Internet for interoperability. Various organizations under the ISOC are responsible for the actual work of standards development and publication.

 

官方的国家、地区或国际标准机构,负责制定标准并协调特定国家、地区或世界的标准活动。一些 SDO 通过支持技术委员会的活动来促进标准的制定,有些可能直接参与标准的制定。

An official national, regional, or international standards body that develops standards and coordinates the standard activities of a specific country, region or the world. Some SDOs facilitate the development of standards through support of technical committee activities, and some may be directly involved in standards development.

 

互联网工程任务组 (IETF) 设有工作组,在以下领域开发 SDN 相关规范:

The Internet Engineering Task Force (IETF) has working groups developing SDN-related specifications in the following areas:

 

图像 路由系统接口 (I2RS):开发与路由器和路由协议交互以应用路由策略的功能。

Interface to routing systems (I2RS): Develop capabilities to interact with routers and routing protocols to apply routing policies.

 

图像 服务功能链:为控制器开发一种架构和功能,以引导网络中的流量子集,使每个虚拟服务平台只能看到其必须使用的流量。

Service function chaining: Develop an architecture and capabilities for controllers to direct subsets of traffic across the network in such a way that each virtual service platform sees only the traffic it must work with.

 

互联网研究任务组 (IRTF) 发布了软件定义网络 (SDN):层和架构术语(RFC 7426,2015 年 1 月)。该文档提供了一个简明的参考,反映了有关 SDN 层架构的当前方法。征求意见 (RFC)还提供了对南向 API 的有用讨论(图 3.3),并描述了一些特定的 API,例如 I2RS。

The Internet Research Task Force (IRTF) has published Software-Defined Networking (SDN): Layers and Architecture Terminology (RFC 7426, January 2015). The document provides a concise reference that reflects current approaches regarding the SDN layer architecture. The Request For Comments (RFC) also provides a useful discussion of the southbound API (Figure 3.3) and describes some specific APIs, such as for I2RS.

 

档案系列中的一份文档,是互联网协会出版物(包括 IETF 和 IRTF 出版物)的官方渠道。RFC 可以是信息性的、最佳实践、标准草案或官方互联网标准。

A document in the archival series that is the official channel for publications of the Internet Society, including IETF and IRTF publications. An RFC may be informational, best practice, draft standard, or an official Internet standard.

 

IRTF 还赞助软件定义网络研究小组 (SDNRG)。该小组从不同角度研究 SDN,目的是确定短期内可以定义、部署和使用的方法,并确定未来的研究挑战。

IRTF also sponsors the Software Defined Networking Research Group (SDNRG). This group investigates SDN from various perspectives with the goal of identifying the approaches that can be defined, deployed, and used in the near term and identifying future research challenges.

 
国际电联电信标准化局
 

国际电信联盟电信标准化部门 (ITU-T) 是一个联合国机构,负责发布电信领域的标准(称为建议书)。到目前为止,他们对 SDN 唯一发布的贡献是推荐 Y.3300(软件定义网络框架,2014 年 6 月)。该文档阐述了 SDN 的定义、目标、高级功能、要求和高级架构。它为标准开发提供了一个有价值的框架。

The International Telecommunication Union—Telecommunication Standardization Sector (ITU-T) is a UN agency that issues standards, called recommendations, in the telecommunications area. So far, their only published contribution to SDN is Recommendation Y.3300 (Framework of Software-Defined Networking, June 2014). The document addresses definitions, objectives, high-level capabilities, requirements, and high-level architecture of SDN. It provides a valuable framework for standards development.

 

ITU-T建立了软件定义网络联合协调活动(JCA-SDN)并开始制定SDN相关标准。

ITU-T has established a Joint Coordination Activity on Software-Defined Networking (JCA-SDN) and begun work on developing SDN-related standards.

 

四个 ITU-T 研究组 (SG) 参与了 SDN 相关活动:

Four ITU-T study groups (SGs) are involved in SDN-related activities:

 

图像 SG 13(未来网络,包括云计算、移动和下一代网络):这是ITU-T中SDN的牵头研究组,并开发了Y.3300。该小组正在研究下一代网络 (NGN) 的 SDN 和虚拟化方面。

SG 13 (Future networks, including cloud computing, mobile, and next-generation networks): This is the lead study group of SDN in ITU-T and developed Y.3300. This group is studying SDN and virtualization aspects for next-generation networks (NGNs).

 

图像 SG 11(信令要求、协议和测试规范):该小组正在研究SDN信令框架以及如何将SDN技术应用于IPv6。

SG 11 (Signaling requirements, protocols, and test specifications): This group is studying the framework for SDN signaling and how to apply SDN technologies for IPv6.

 

图像 SG 15(传输、接入和家庭):该组研究光传输网络、接入网络和家庭网络。该小组正在研究 SDN 的传输方面,与开放网络基金会的 SDN 架构保持一致。

SG 15 (Transport, access, and home): This group looks at optical transport networks, access networks, and home networks. The group is investigating transport aspects of SDN, aligned with the Open Network Foundation’s SDN architecture.

 

图像 SG 16(多媒体):该小组正在评估 OpenFlow 作为控制多媒体数据包流的协议,并正在研究虚拟内容交付网络。

SG 16 (Multimedia): This group is evaluating OpenFlow as a protocol to control multimedia packet flows, and is studying virtual content delivery networks.

 
欧洲电信标准协会
 

ETSI 是被欧盟认可的欧洲标准组织。然而,这个非营利性的 SDO 在世界各地都有成员组织,其标准具有国际影响力。

ETSI is recognized by the European Union as a European Standards Organization. However, this not-for-profit SDO has member organizations worldwide and its standards have international impact.

 

ETSI 在定义 NFV 标准方面发挥了主导作用。ETSI 的网络功能虚拟化 (NFV) 行业规范组 (ISG) 于 2013 年 1 月开始工作,并于 2015 年 1 月制定了第一套规范。这 11 项规范包括 NFV 的架构、基础设施、服务质量指标、管理和编排、弹性要求和安全指南。

ETSI has taken the lead role in defining standards for NFV. ETSI’s Network Functions Virtualisation (NFV) Industry Specification Group (ISG) began work in January 2013 and produced a first set of specifications in January 2015. The 11 specifications include an NFV’s architecture, infrastructure, service quality metrics, management and orchestration, resiliency requirements, and security guidance.

 

行业联盟

Industry Consortia

 

开放标准联盟于 20 世纪 80 年代末开始出现。私营跨国公司内部越来越多的人认为 SDO 行动太慢,无法在快节奏的技术世界中提供有用的标准。最近,许多联盟参与了SDN和NFV标准的制定。我们在这里提到三项最重要的努力。

Consortia for open standards began to appear in the late 1980s. There was a growing feeling within private-sector multinational companies that the SDOs acted too slowly to provide useful standards in the fast-paced world of technology. Recently, a number of consortia have become involved in the development of SDN and NFV standards. We mention here three of the most significant efforts.

 

图像 请参阅第 4 章SDN 数据平面和 OpenFlow

See Chapter 4, “SDN Data Plane and OpenFlow

 

迄今为止,参与 SDN 标准化的最重要的联盟是开放网络基金会 (ONF)。ONF 是一个行业联盟,致力于通过开放标准开发来推广和采用 SDN。迄今为止,它最重要的贡献是 OpenFlow 协议和 API。OpenFlow协议是第一个专门为SDN设计的标准接口,并且已经部署在各种基于硬件和软件的网络和网络产品中。该标准通过赋予逻辑集中控制软件通过明确定义的“转发指令集”修改网络设备行为的能力,使网络得以发展。第 4 章专门介绍该协议。

By far the most important consortium involved in SDN standardization is the Open Networking Foundation (ONF). ONF is an industry consortium dedicated to the promotion and adoption of SDN through open standards development. Its most important contribution to date is the OpenFlow protocol and API. The OpenFlow protocol is the first standard interface specifically designed for SDN and is already being deployed in a variety of networks and networking products, both hardware based and software based. The standard enables networks to evolve by giving logically centralized control software the power to modify the behavior of network devices through a well-defined “forwarding instruction set.” Chapter 4 is devoted to this protocol.

 

一群因共同利益而联合起来的独立组织。在标准制定领域,联盟通常由关注特定技术领域的个体公司和贸易团体组成。

A group of independent organizations joined by common interests. In the area of standards development, a consortium typically consists of individual corporations and trade groups concerned with a specific area of technology.

 

开放数据中心联盟 (ODCA) 是由全球领先的 IT 组织组成的联盟,致力于加速云计算可互操作解决方案和服务的采用。通过开发 SDN 和 NFV 使用模型,ODCA 正在定义 SDN 和 NFV 云部署的要求。

The Open Data Center Alliance (ODCA) is a consortium of leading global IT organizations dedicated to accelerating adoption of interoperable solutions and services for cloud computing. Through the development of usage models for SDN and NFV, ODCA is defining requirements for SDN and NFV cloud deployment.

 

电信行业解决方案联盟 (ATIS) 是一个会员组织,为行业提供必要的工具来确定标准、指南和操作程序,从而使现有和新兴电信产品和服务的互操作性成为可能。尽管山西庞泉沟国家级自然保护区管理局获得了 ANSI 的认可,但最好将其视为一个联盟而不是 SDO。到目前为止,山西庞泉沟国家级自然保护区管理局已发布一份文件,确定了与使用 SDN 和 NFV 提高基础设施可编程性相关的运营问题和机遇。

The Alliance for Telecommunications Industry Solutions (ATIS) is a membership organization that provides the tools necessary for the industry to identify standards, guidelines, and operating procedures that make the interoperability of existing and emerging telecommunications products and services possible. Although ATIS is accredited by ANSI, it is best viewed as a consortium rather than an SDO. So far, ATIS has issued a document that identifies operational issues and opportunities associated with increasing programmability of the infrastructure using SDN and NFV.

 

开放发展计划

Open Development Initiatives

 

还有许多其他组织不是由行业成员专门创建的,也不是官方机构,例如 SDO。一般来说,这些组织是用户创建和驱动的,并且有特定的重点,始终以开发开放标准或开源软件为目标。许多这样的团体已经成为积极参与 SDN 和 NFV 标准化工作。本节列出了三项最重要的努力。

There are a number of other organizations that are not specifically created by industry members and are not official bodies such as SDOs. Generally, these organizations are user created and driven and have a particular focus, always with the goal of developing open standards or open source software. A number of such groups have become active in SDN and NFV standardization. This section lists three of the most significant efforts.

 
日光开放
 

OpenDaylight 是 Linux 基金会赞助的一项开源软件活动。其成员公司提供资源来开发适用于各种应用的 SDN 控制器。虽然核心成员由公司组成,但个人开发者和用户也可以参与,因此OpenDaylight更多地是一个开放开发倡议,而不是一个联盟。ODL 还通过南向协议、一系列可编程网络服务、北向 API 集合和一组应用程序支持网络可编程性。

OpenDaylight is an open source software activity under the auspices of the Linux foundation. Its member companies provide resources to develop an SDN controller for a wide range of applications. Although the core membership consists of companies, individual developers and users can also participate, so OpenDaylight is more in the nature of an open development initiative than a consortium. ODL also supports network programmability via southbound protocols, a bunch of programmable network services, a collection of northbound APIs, and a set of applications.

 

图像 请参阅第 5.3 节开放日光

See Section 5.3, “Open-Daylight

 

OpenDaylight由约30个项目组成,并同步发布其成果。继 2014 年 2 月发布第一个版本 Hydrogen 后,它于 2014 年 9 月底成功发布了第二个版本 Helium。

OpenDaylight is composed of about 30 projects, and releases their outputs in simultaneous manner. After its first release, Hydrogen, in February 2014, it successfully delivered the second one, Helium, at the end of September 2014.

 
NFV开放平台
 

NFV 开放平台是一个开源项目,致力于加速标准化 NFV 元素的采用。OPNFV将建立一个运营商级、集成的开源参考平台,由业界同行共同构建,以推动NFV的演进,并确保多个开源组件之间的一致性、性能和互操作性。由于多个开源 NFV 构建模块已经存在,OPNFV 将与上游项目合作,协调持续集成和测试,同时填补开发空白。

Open Platform for NFV is an open source project dedicated to acceleration the adoption of standardized NFV elements. OPNFV will establish a carrier-grade, integrated, open source reference platform that industry peers will build together to advance the evolution of NFV and to ensure consistency, performance, and interoperability among multiple open source components. Because multiple open source NFV building blocks already exist, OPNFV will work with upstream projects to coordinate continuous integration and testing while filling development gaps.

 

图像 请参阅第 7.4 节NFV 优势和要求

See Section 7.4, “NFV Benefits and Requirements

 
开放堆栈
 

OpenStack是一个开源软件项目,旨在生产开源云操作系统。它提供多租户基础设施即服务 (IaaS),旨在通过易于实施和大规模可扩展来满足公共和私有云的需求,无论其规模如何。SDN技术有望为其网络部分做出贡献,并使云操作系统更加高效、灵活、可靠。

OpenStack is an open source software project that aims to produce an open source cloud operating system. It provides multitenant Infrastructure as a Service (IaaS), and aims to meets the needs of public and private clouds regardless of size, by being simple to implement and massively scalable. SDN technology is expected to contribute to its networking part, and to make the cloud operating system more efficient, flexible, and reliable.

 

OpenStack 由许多项目组成。Neutron就是其中之一,专门用于网络。它为其他 OpenStack 服务提供网络即服务 (NaaS)。几乎所有的SDN控制器都提供了Neutron的插件,通过它们OpenStack上的服务和其他OpenStack服务可以构建丰富的网络拓扑,并可以在云端配置高级网络策略。

OpenStack is composed of a number of projects. One of them, Neutron, is dedicated for networking. It provides Network as a Service (NaaS) to other OpenStack services. Almost all SDN controllers have provided plug-ins for Neutron, and through them services on OpenStack and other OpenStack services can build rich networking topologies and can configure advanced network policies in the cloud.

 

3.4 关键术语

3.4 Key Terms

 

完成本章后,您应该能够定义以下术语。

After completing this chapter, you should be able to define the following terms.

 

应用程序编程接口(API)

application programming interface (API)

 

财团

consortium

 

数据报

datagram

 

流动

flow

 

IEEE 802

IEEE 802

 

北向API

northbound API

 

开放标准

open standard

 

分组交换

packet switching

 

表述性状态转移 (REST)

REpresentational State Transfer (REST)

 

征求意见 (RFC)

Request For Comments (RFC)

 

服务功能链

service function chaining

 

南向API

southbound API

 

标准

standard

 

标准制定组织 (SDO)

standards-developing organization (SDO)

 

TCP/IP协议体系结构

TCP/IP protocol architecture

 

3.5 参考文献

3.5 References

 

ODCA14开放数据中心联盟。开放数据中心联盟主要使用模型:软件定义网络修订版 2.0。白皮书。2014年。

ODCA14: Open Data Center Alliance. Open Data Center Alliance Master Usage Model: Software-Defined Networking Rev. 2.0. White Paper. 2014.

 

ONF12开放网络基金会。软件定义网络:网络新规范。ONF 白皮书,2012 年 4 月 13 日。

ONF12: Open Networking Foundation. Software-Defined Networking: The New Norm for Networks. ONF White Paper, April 13, 2012.

 

第 4 章SDN 数据平面和 OpenFlow

Chapter 4. SDN Data Plane and OpenFlow

 

“我告诉你,”赛姆热情地继续说道,“每次火车进站时,我都感觉它已经冲破了围攻者的重围,而那个人已经赢得了一场对抗混乱的战斗。你轻蔑地说,离开斯隆广场就必须来到维多利亚。我说一个人可以做一千件事,而每当我真正到达那里时,我就有一种毫发无伤的逃脱感。当我听到警卫喊出“维多利亚”这个词时,这并不是一个毫无意义的词。对我来说,这是宣布征服的使者的呼喊。对我来说,它确实是“维多利亚”;这是亚当的胜利。”

“I tell you,” went on Syme with passion, “that every time a train comes in I feel that it has broken past batteries of besiegers, and that man has won a battle against chaos. You say contemptuously that when one has left Sloane Square one must come to Victoria. I say that one might do a thousand things instead, and that whenever I really come there I have the sense of hairbreadth escape. And when I hear the guard shout out the word ‘Victoria’, it is not an unmeaning word. It is to me the cry of a herald announcing conquest. It is to me indeed ‘Victoria’; it is the victory of Adam.”

 

—— 《星期四的人》,GK 切斯特顿

The Man Who Was Thursday, G. K. Chesterton

 

本章目标 学习完本章后,您应该能够

 

图像概述 SDN 数据平面的功能。

 

图像了解 OpenFlow 逻辑网络设备的概念。

 

图像描述并解释OpenFlow流表条目结构。

 

图像总结一下OpenFlow pipeline的运行情况。

 

图像解释一下组表的操作。

 

图像了解 OpenFlow 协议的基本元素。

 

Chapter Objectives: After studying this chapter, you should be able to

 

Present an overview of the functions of the SDN data plane.

 

Understand the concept of an OpenFlow logical network device.

 

Describe and explain the OpenFlow flow table entry structure.

 

Summarize the operation of the OpenFlow pipeline.

 

Explain the operation of the group table.

 

Understand the basic elements of the OpenFlow protocol.

 
 

本章的4.1 节从数据平面的讨论开始对软件定义网络 (SDN) 的详细研究(图 4.1)。本章的其余部分将重点介绍 OpenFlow,这是使用最广泛的 SDN 数据平面实现。OpenFlow既是数据平面功能逻辑结构的规范,也是SDN控制器和网络设备之间的协议。第 4.2 节第 4.3节分别更详细地研究了 OpenFlow 逻辑网络设备和 OpenFlow 协议。

Section 4.1 of this chapter begins the detailed study of software-defined networking (SDN) with a discussion of the data plane (Figure 4.1). The remainder of the chapter is devoted to OpenFlow, the most widely used implementation of the SDN data plane. OpenFlow is both a specification of the logical structure of data plane functionality and a protocol between SDN controllers and network devices. Sections 4.2 and 4.3, respectively, examine the OpenFlow logical network device and the OpenFlow protocol in more detail.

 
图像

图 4.1 SDN 架构

FIGURE 4.1 SDN Architecture

 

4.1 SDN数据平面

4.1 SDN Data Plane

 

SDN数据平面,在ITU-T Y.3300中被称为资源层,通常也被称为基础设施层,是网络转发设备根据SDN控制平面做出的决策执行数据传输和处理的地方。SDN网络中网络设备的重要特点是这些设备执行简单的转发功能,无需嵌入软件进行自主决策。

The SDN data plane, referred to as the resource layer in ITU-T Y.3300 and also often referred to as the infrastructure layer, is where network forwarding devices perform the transport and processing of data according to decisions made by the SDN control plane. The important characteristic of the network devices in an SDN network is that these devices perform a simple forwarding function, without embedded software to make autonomous decisions.

 

数据平面功能

Data Plane Functions

 

图 4.2说明了数据平面网络设备(也称为数据平面网络元件或交换机)执行的功能。网络设备的主要功能如下:

Figure 4.2 illustrates the functions performed by the data plane network devices (also called data plane network elements or switches). The principal functions of the network device are the following:

 
图像

图 4.2数据平面网络设备

FIGURE 4.2 Data Plane Network Device

 

图像 控制支持功能:与SDN控制层交互,通过资源控制接口支持可编程性。交换机与控制器通信,控制器通过OpenFlow交换机协议管理交换机。

Control support function: Interacts with the SDN control layer to support programmability via resource-control interfaces. The switch communicates with the controller and the controller manages the switch via the OpenFlow switch protocol.

 

图像 数据转发功能:接受来自其他网络设备和端系统的传入数据流,并沿着根据SDN应用定义的规则计算和建立的数据转发路径进行转发。

Data forwarding function: Accepts incoming data flows from other network devices and end systems and forwards them along the data forwarding paths that have been computed and established according to the rules defined by the SDN applications.

 

网络设备使用的这些转发规则体现在转发表中,转发表指示对于给定类别的数据包,路由中的下一跳应该是什么。除了简单地转发数据包之外,网络设备还可以在转发之前更改数据包头,或者丢弃数据包。如图所示,到达的分组可以被放置在输入队列中,等待网络设备的处理,并且转发的分组通常被放置在输出队列中,等待传输。

These forwarding rules used by the network device are embodied in forwarding tables that indicate for given categories of packets what the next hop in the route should be. In addition to simple forwarding of a packet, the network device can alter the packet header before forwarding, or discard the packet. As shown, arriving packets may be placed in an input queue, awaiting processing by the network device, and forwarded packets are generally placed in an output queue, awaiting transmission.

 

图 4.2中的网络设备具有三个 I/O 端口:一个提供与 SDN 控制器的控制通信,两个用于数据包的输入和输出。这是一个简单的例子。网络设备可以具有多个端口来与多个SDN控制器通信,并且可以具有两个以上的I/O端口用于数据包流进和流出设备。

The network device in Figure 4.2 is shown with three I/O ports: one providing control communication with an SDN controller, and two for the input and output of data packets. This is a simple example. The network device may have multiple ports to communicate with multiple SDN controllers, and may have more than two I/O ports for packet flows into and out of the device.

 

数据平面协议

Data Plane Protocols

 

图 4.2显示了网络设备支持的协议。数据包流由IP 包流组成。转发表可能需要基于上层协议标头中的字段来定义条目,例如 TCP、UDP 或某些其他传输或应用协议。网络设备检查每个数据包中的 IP 标头和可能的其他标头,并做出转发决定。

Figure 4.2 suggests the protocols supported by the network device. Data packet flows consist of streams of IP packets. It may be necessary for the forwarding table to define entries based on fields in upper-level protocol headers, such as TCP, UDP, or some other transport or application protocol. The network device examines the IP header and possibly other headers in each packet and makes a forwarding decision.

 

另一个重要的流量是通过南向应用程序编程接口 (API),由 OpenFlow 协议数据单元 (PDU) 或一些类似的南向 API 协议流量组成。

The other important flow of traffic is via the southbound application programming interface (API), consisting of OpenFlow protocol data units (PDUs) or some similar southbound API protocol traffic.

 

4.2 OpenFlow逻辑网络设备

4.2 OpenFlow Logical Network Device

 

要将SDN的概念转化为实际实施,必须满足两个要求:

To turn the concept of SDN into practical implementation, two requirements must be met:

 

图像所有交换机、路由器和其他由 SDN 控制器管理的网络设备必须有一个通用的逻辑架构。只要SDN控制器看到统一的逻辑交换机功能,该逻辑架构就可以在不同供应商设备和不同类型的网络设备上以不同方式实现。

There must be a common logical architecture in all switches, routers, and other network devices to be managed by an SDN controller. This logical architecture may be implemented in different ways on different vendor equipment and in different types of network devices, as long as the SDN controller sees a uniform logical switch functionality.

 

图像SDN控制器和网络设备之间需要一个标准的、安全的协议。

A standard, secure protocol is needed between the SDN controller and the network device.

 

OpenFlow 可以满足这些要求,OpenFlow 既是 SDN 控制器和网络设备之间的协议,也是网络交换机功能逻辑结构的规范。OpenFlow 在开放网络基金会 (ONF) 发布的OpenFlow 交换机规范中定义。

These requirements are addressed by OpenFlow, which is both a protocol between SDN controllers and network devices and a specification of the logical structure of the network switch functionality. OpenFlow is defined in the OpenFlow Switch Specification, published by the Open Networking Foundation (ONF).

 
图像

开放网络基金会 OpenFlow 定义

Open Network Foundation OpenFlow Definition

 

本节介绍 OpenFlow 定义的逻辑交换机架构。我们的讨论基于撰写本文时当前的 OpenFlow 规范:版本 1.5.1,2015 年 3 月 26 日。

This section covers the logical switch architecture defined by OpenFlow. Our discussion is based on the OpenFlow specification current at the time of this writing: Version 1.5.1, March 26, 2015.

 

图 4.3显示了 OpenFlow 环境的主要元素,由 SDN 控制器(包括 OpenFlow 软件、OpenFlow 交换机和终端系统)组成。

Figure 4.3 indicates the main elements of an OpenFlow environment, consisting of SDN controllers that include OpenFlow software, OpenFlow switches, and end systems.

 
图像

图 4.3 OpenFlow 交换机上下文

FIGURE 4.3 OpenFlow Switch Context

 

图 4.4显示了 OpenFlow 交换机的主要组件。SDN 控制器使用在传输层安全 (TLS) 上运行的 OpenFlow 协议与 OpenFlow 兼容交换机进行通信。每个交换机都连接到其他OpenFlow 交换机,并且可能连接到作为数据包流的源和目的地的最终用户设备。在交换机侧,该接口称为OpenFlow 通道。这些连接是通过 OpenFlow 端口进行的。OpenFlow 端口还将交换机连接到 SDN 控制器。OpenFlow定义了三种类型的端口:

Figure 4.4 displays the main components of an OpenFlow switch. An SDN controller communicates with OpenFlow-compatible switches using the OpenFlow protocol running over Transport Layer Security (TLS). Each switch connects to other OpenFlow switches and, possibly, to end-user devices that are the sources and destinations of packet flows. On the switch side, the interface is known as an OpenFlow channel. These connections are via OpenFlow ports. An OpenFlow port also connects the switch to the SDN controller. OpenFlow defines three types of ports:

 
图像

图 4.4 OpenFlow 交换机

FIGURE 4.4 OpenFlow Switch

 

图像 物理端口:对应交换机的一个硬件接口。例如,在以太网交换机上,物理端口与以太网接口一一对应。

Physical port: Corresponds to a hardware interface of the switch. For example, on an Ethernet switch, physical ports map one to one to the Ethernet interfaces.

 

图像 逻辑端口:不直接对应交换机的硬件接口。逻辑端口是可以使用非 OpenFlow 方法在交换机中定义的更高级别的抽象(例如,链路聚合组、隧道、环回接口)。逻辑端口可以包括数据包封装并且可以映射到各种物理端口。逻辑端口完成的处理取决于实现,并且对于 OpenFlow 处理必须是透明的,这些端口必须像 OpenFlow 物理端口一样与 OpenFlow 处理交互。

Logical port: Does not correspond directly to a hardware interface of the switch. Logical ports are higher-level abstractions that may be defined in the switch using non-OpenFlow methods (for example, link aggregation groups, tunnels, loopback interfaces). Logical ports may include packet encapsulation and may map to various physical ports. The processing done by the logical port is implementation dependent and must be transparent to OpenFlow processing, and those ports must interact with OpenFlow processing like OpenFlow physical ports.

 

图像 保留端口:由OpenFlow规范定义。它指定通用转发操作,例如向控制器发送和从控制器接收、洪泛或使用非 OpenFlow 方法进行转发,例如“正常”交换机处理。

Reserved port: Defined by the OpenFlow specification. It specifies generic forwarding actions such as sending to and receiving from the controller, flooding, or forwarding using non-OpenFlow methods, such as “normal” switch processing.

 

在每个交换机内,使用一系列表来管理通过交换机的数据包流。

Within each switch, a series of tables is used to manage the flows of packets through the switch.

 

OpenFlow规范定义了逻辑交换机架构中的三种类型的表。流表将传入数据包与特定流进行匹配,并指定要对数据包执行哪些功能。可能存在以管道方式操作的多个流表,如随后所解释的。流表可以将流定向到组表,这可以触发影响一个或多个流的各种操作。计量可以触发流上的各种与性能相关的操作。仪表表将在第 10 章中讨论。使用 OpenFlow 交换机协议,控制器可以被动(响应数据包)和主动方式添加、更新和删除表中的流条目。

The OpenFlow specification defines three types of tables in the logical switch architecture. A flow table matches incoming packets to a particular flow and specifies what functions are to be performed on the packets. There may be multiple flow tables that operate in a pipeline fashion, as explained subsequently. A flow table may direct a flow to a group table, which may trigger a variety of actions that affect one or more flows. A meter table can trigger a variety of performance-related actions on a flow. Meter tables are discussed in Chapter 10. Using the OpenFlow switch protocol, the controller can add, update, and delete flow entries in tables, both reactively (in response to packets) and proactively.

 

图像 请参阅第 10 章服务质量

See Chapter 10, “Quality of Service

 

在继续之前,定义术语“流”的含义会很有帮助。奇怪的是,OpenFlow 规范中没有定义这个术语,也没有尝试定义几乎所有有关 OpenFlow 的文献中都有它。一般而言,流是穿过网络的共享一组标头字段值的数据包序列。例如,流可以包含具有相同源和目标 IP 地址的所有数据包或具有相同虚拟 LAN (VLAN) 标识符的所有数据包。以下各节提供了此概念的更具体定义。

Before proceeding, it is helpful to define what is meant by the term flow. Curiously, this term is not defined in the OpenFlow specification, nor is there an attempt to define it in virtually all of the literature on OpenFlow. In general terms, a flow is a sequence of packets traversing a network that share a set of header field values. For example, a flow could consist of all packets with the same source and destination IP addresses or all packets with the same virtual LAN (VLAN) identifier. The sections that follow provide a more specific definition of this concept.

 

流表结构

Flow Table Structure

 

逻辑交换机架构的基本构建块是流表。进入交换机的每个数据包都会经过多个流表之一。每个流表由许多行组成,称为条目,由七个组件组成(参见图 4.5的 a 部分),如下面的列表中所定义。

The basic building block of the logical switch architecture is the flow table. Each packet that enters a switch passes through one of more flow tables. Each flow table consists of a number of rows, called entries, consisting of seven components (see part a of Figure 4.5), as defined in the list that follows.

 
图像

图 4.5 OpenFlow 表条目格式

FIGURE 4.5 OpenFlow Table Entry Formats

 

图像 匹配字段:用于选择与字段中的值匹配的数据包。

Match fields: Used to select packets that match the values in the fields.

 

图像 优先级:表条目的相对优先级。这是一个 16 位字段,其中 0 对应最低优先级。原则上,可以有 2 16 = 64k 优先级。

Priority: Relative priority of table entries. This is a 16-bit field with 0 corresponding to the lowest priority. In principle, there could be 216 = 64k priority levels.

 

图像 计数器:更新匹配的数据包。OpenFlow 规范定义了多种计数器。表 4.1列出了 OpenFlow 交换机必须支持的计数器。

Counters: Updated for matching packets. The OpenFlow specification defines a variety of counters. Table 4.1 lists the counters that must be supported by an OpenFlow switch.

 
图像

表 4.1所需的 OpenFlow 计数器

TABLE 4.1 Required OpenFlow Counters

 

图像 说明:发生匹配时要执行的说明。

Instructions: Instructions to be performed if a match occurs.

 

图像 超时:流量在交换机到期之前的最大空闲时间。每个流条目都有一个与之关联的idle_timeout和hard_timeout。非零的hard_timeout字段会导致流条目在给定的秒数后被删除,无论它匹配了多少个数据包。非零的idle_timeout字段会导致流条目在给定秒数内没有匹配任何数据包时被删除。

Timeouts: Maximum amount of idle time before a flow is expired by the switch. Each flow entry has an idle_timeout and a hard_timeout associated with it. A nonzero hard_timeout field causes the flow entry to be removed after the given number of seconds, regardless of how many packets it has matched. A nonzero idle_timeout field causes the flow entry to be removed when it has matched no packets in the given number of seconds.

 

图像 Cookie:控制器选择的 64 位不透明数据值。可以被控制器用来过滤流量统计、流量修改和流量删除;处理数据包时不使用。

Cookie: 64-bit opaque data value chosen by the controller. May be used by the controller to filter flow statistics, flow modification and flow deletion; not used when processing packets.

 

图像 Flags:标志改变流条目的管理方式;例如,标志 OFPFF_SEND_FLOW_REM 触发该流条目的流删除消息。

Flags: Flags alter the way flow entries are managed; for example, the flag OFPFF_SEND_FLOW_REM triggers flow removed messages for that flow entry.

 
匹配字段组件
 

表条目的匹配字段组件由以下必填字段组成(参见图 4.5的 b 部分):

The match fields component of a table entry consists of the following required fields (see part b of Figure 4.5):

 

图像 入口端口:数据包到达的交换机上的端口的标识符。这可以是物理端口或交换机定义的虚拟端口。在入口表中需要。

Ingress port: The identifier of the port on this switch on which the packet arrived. This may be a physical port or a switch-defined virtual port. Required in ingress tables.

 

图像 出口端口:操作集中的出口端口的标识符。在出口表中需要。

Egress port: The identifier of the egress port from action set. Required in egress tables.

 

图像 以太网源地址和目标地址:每个条目可以是精确地址、仅检查某些地址位的位掩码值或通配符值(匹配任何值)。

Ethernet source and destination addresses: Each entry can be an exact address, a bitmasked value for which only some of the address bits are checked, or a wildcard value (match any value).

 

图像 以太网类型字段:指示以太网数据包负载的类型。

Ethernet type field: Indicates type of the Ethernet packet payload.

 

图像 IP:版本 4 或 6。

IP: Version 4 or 6.

 

图像 IPv4 或 IPv6 源地址和目标地址:每个条目可以是精确地址、位掩码值、子网掩码值或通配符值。

IPv4 or IPv6 source address, and destination address: Each entry can be an exact address, a bitmasked value, a subnet mask value, or a wildcard value.

 

图像 TCP 源端口和目标端口:完全匹配或通配符值。

TCP source and destination ports: Exact match or wildcard value.

 

图像 UDP 源端口和目标端口:完全匹配或通配符值。

UDP source and destination ports: Exact match or wildcard value.

 

任何兼容 OpenFlow 的交换机都必须支持上述匹配字段。可以选择支持以下字段。

The preceding match fields must be supported by any OpenFlow-compliant switch. The following fields may be optionally supported.

 

图像 物理端口:用于在逻辑端口上接收到数据包时指定底层物理端口。

Physical port: Used to designate underlying physical port when packet is received on a logical port.

 

图像 元数据:在处理数据包期间可以从一个表传递到另一个表的附加信息。随后讨论其用途。

Metadata: Additional information that can be passed from one table to another during the processing of a packet. Its use is discussed subsequently.

 

图像 VLAN ID 和 VLAN 用户优先级: IEEE 802.1Q 虚拟 LAN 标头中的字段。SDN 对 VLAN 的支持将在第 8 章NFV 功能”中讨论。

VLAN ID and VLAN user priority: Fields in the IEEE 802.1Q virtual LAN header. SDN support for VLANs is discussed in Chapter 8, “NFV Functionality.”

 

图像 IPv4 或 IPv6 DS 和 ECN: 差异化服务和显式拥塞通知字段。

IPv4 or IPv6 DS and ECN: Differentiated Services and Explicit Congestion Notification fields.

 

图像 SCTP 源和目标端口:流传输控制协议的精确匹配或通配符值。

SCTP source and destination ports: Exact match or wildcard value for Stream Transmission Control Protocol.

 

图像 ICMP 类型和代码字段:完全匹配或通配符值。

ICMP type and code fields: Exact match or wildcard value.

 

图像 ARP 操作码:以太网类型字段中的完全匹配。

ARP opcode: Exact match in Ethernet Type field.

 

图像 ARP 负载中的源和目标 IPv4 地址:可以是精确地址、位掩码值、子网掩码值或通配符值。

Source and target IPv4 addresses in ARP payload: Can be an exact address, a bitmasked value, a subnet mask value, or a wildcard value.

 

图像 IPv6 流标签:完全匹配或通配符。

IPv6 flow label: Exact match or wildcard.

 

图像 ICMPv6 类型和代码字段:完全匹配或通配符值。

ICMPv6 type and code fields: Exact match or wildcard value.

 

图像 IPv6邻居发现目标地址:在IPv6邻居发现消息中。

IPv6 neighbor discovery target address: In an IPv6 Neighbor Discovery message.

 

图像 IPv6 邻居发现源和目标地址: IPv6 邻居发现消息中的链路层地址选项。

IPv6 neighbor discovery source and target addresses: Link-layer address options in an IPv6 Neighbor Discovery message.

 

图像 MPLS 标签值、流量类别和 BoS: MPLS 标签堆栈顶部标签中的字段。

MPLS label value, traffic class, and BoS: Fields in the top label of an MPLS label stack.

 

图像 提供商桥接流量 ISID:服务实例标识符。

Provider bridge traffic ISID: Service instance identifier.

 

图像 隧道 ID:与逻辑端口关联的元数据。

Tunnel ID: Metadata associated with a logical port.

 

图像 TCP 标志: TCP 标头中的标志位。可用于检测 TCP 连接的开始和结束。

TCP flags: Flag bits in the TCP header. May be used to detect start and end of TCP connections.

 

图像 IPv6 扩展:扩展标头。

IPv6 extension: Extension header.

 

因此,OpenFlow 可用于涉及多种协议和网络服务的网络流量。请注意,在 MAC/链路层,仅支持以太网。因此,当前定义的OpenFlow无法控制无线网络上的第2层流量。

Thus, OpenFlow can be used with network traffic involving a variety of protocols and network services. Note that at the MAC/link layer, only Ethernet is supported. Therefore, OpenFlow as currently defined cannot control Layer 2 traffic over wireless networks.

 

匹配字段组件中的每个字段都具有特定值或通配符值,该值与相应数据包标头字段中的任何值相匹配。流表可以包括表未命中流条目,其通配所有匹配字段(每个字段都是匹配的,无论值如何)并且具有最低优先级。

Each of the fields in the match fields component either has a specific value or a wildcard value, which matches any value in the corresponding packet header field. A flow table may include a table-miss flow entry, which wildcards all match fields (every field is a match regardless of value) and has the lowest priority.

 

我们现在可以为术语“流”提供更精确的定义。从单个交换机的角度来看,流是与流表中的特定条目匹配的数据包序列。该定义是面向数据包的,从某种意义上说,它是构成流的数据包的标头字段值的函数,而不是它们通过网络所遵循的路径的函数。多个交换机上的流条目的组合定义了绑定到特定路径的流。

We can now offer a more precise definition of the term flow. From the point of view of an individual switch, a flow is a sequence of packets that matches a specific entry in a flow table. The definition is packet oriented, in the sense that it is a function of the values of header fields of the packets that constitute the flow, and not a function of the path they follow through the network. A combination of flow entries on multiple switches defines a flow that is bound to a specific path.

 
指令组件
 

表条目的指令部分由一组指令组成,如果数据包与条目匹配,则执行这些指令。在描述指令类型之前,我们需要定义术语“动作”“动作集”。动作描述了数据包转发、数据包修改和组表处理操作。OpenFlow规范包括以下动作:

The instructions component of a table entry consists of a set of instructions that are executed if the packet matches the entry. Before describing the types of instructions, we need to define the terms action and action set. Actions describe packet forwarding, packet modification, and group table processing operations. The OpenFlow specification includes the following actions:

 

图像 输出:将数据包转发到指定端口。该端口可以是另一个交换机的输出端口或控制器的端口。在后一种情况下,数据包被封装在发送给控制器的消息中。

Output: Forward packet to specified port. The port could be an output port to another switch or the port to the controller. In the latter case, the packet is encapsulated in a message to the controller.

 

图像 Set-Queue:设置数据包的队列ID。当使用输出操作将数据包转发到端口时,队列 ID 决定使用连接到该端口的哪个队列来调度和转发数据包。转发行为由队列的配置决定,并用于提供基本的 QoS 支持。第 10 章讨论了 SDN 对 QoS 的支持。

Set-Queue: Sets the queue ID for a packet. When the packet is forwarded to a port using the output action, the queue ID determines which queue attached to this port is used for scheduling and forwarding the packet. Forwarding behavior is dictated by the configuration of the queue and is used to provide basic QoS support. SDN support for QoS is discussed in Chapter 10.

 

图像 Group:通过指定的组处理数据包。

Group: Process packet through specified group.

 

图像 Push-Tag/Pop-Tag:推送或弹出 VLAN 或多协议标签交换 (MPLS) 数据包的标记字段。

Push-Tag/Pop-Tag: Push or pop a tag field for a VLAN or Multiprotocol Label Switching (MPLS) packet.

 

图像 Set-Field:各种 Set-Field 操作通过其字段类型进行标识,并修改数据包中相应标头字段的值。

Set-Field: The various Set-Field actions are identified by their field type and modify the values of respective header fields in the packet.

 

图像 Change-TTL:各种 Change-TTL 操作会修改数据包中的 IPv4 TTL(生存时间)、IPv6 跳数限制或 MPLS TTL 的值。

Change-TTL: The various Change-TTL actions modify the values of the IPv4 TTL (time to live), IPv6 hop limit, or MPLS TTL in the packet.

 

图像 Drop:没有明确的动作来表示丢弃。相反,应丢弃其操作集没有输出操作的数据包。

Drop: There is no explicit action to represent drops. Instead, packets whose action sets have no output action should be dropped.

 

操作集是与数据包关联的操作列表,这些操作在每个表处理数据包时累积,并在数据包退出处理管道时执行。

An action set is a list of actions associated with a packet that are accumulated while the packet is processed by each table and that are executed when the packet exits the processing pipeline.

 

指令的类型可以分为四类:

The types of instructions can be grouped into four categories:

 

图像 通过管道直接数据包: Goto-Table 指令将数据包定向到管道中更远的表。Meter 指令将数据包定向到指定的仪表。

Direct packet through pipeline: The Goto-Table instruction directs the packet to a table farther along in the pipeline. The Meter instruction directs the packet to a specified meter.

 

图像 对数据包执行操作:当数据包与表条目匹配时,可以对数据包执行操作。Apply-Actions 指令立即应用指定的操作,而不会对与此数据包关联的操作集进行任何更改。该指令可用于修改管道中两个表之间的数据包。

Perform action on packet: Actions may be performed on the packet when it is matched to a table entry. The Apply-Actions instruction applies the specified actions immediately, without any change to the action set associated with this packet. This instruction may be used to modify the packet between two tables in the pipeline.

 

图像 更新操作集: Write-Actions 指令将指定的操作合并到该数据包的当前操作集中。Clear-Actions 指令清除动作集中的所有动作。

Update action set: The Write-Actions instruction merges specified actions into the current action set for this packet. The Clear-Actions instruction clears all the actions in the action set.

 

图像 更新元数据:元数据值可以与数据包关联。它用于将信息从一个表传送到下一个表。写入元数据指令更新现有元数据值或创建新值。

Update metadata: A metadata value can be associated with a packet. It is used to carry information from one table to the next. The Write-Metadata instruction updates an existing metadata value or creates a new value.

 

流表管道

Flow Table Pipeline

 

一台交换机包括一个或多个流表。如果有多个流表,它们将被组织为管道,表中标有从零开始递增的数字。在管道中使用多个表而不是单个流表为SDN控制器提供了相当大的灵活性。

A switch includes one or more flow tables. If there is more than one flow table, they are organized as a pipeline, with the tables labeled with increasing numbers starting with zero. The use of multiple tables in a pipeline, rather than a single flow table, provides the SDN controller with considerable flexibility.

 

OpenFlow 规范定义了两个处理阶段:

The OpenFlow specification defines two stages of processing:

 

图像 入口处理:入口处理始终发生,从表 0 开始,并使用输入端口的标识。表0可能是唯一的表,在这种情况下,入口处理被简化为在该单个表上执行的处理,并且没有出口处理。

Ingress processing: Ingress processing always happens, beginning with Table 0, and uses the identity of the input port. Table 0 may be the only table, in which case the ingress processing is simplified to the processing performed on that single table, and there is no egress processing.

 

图像 出口处理:出口处理是确定输出端口后发生的处理。它发生在输出端口的上下文中。此阶段是可选的。如果发生,可能涉及一张或多张表。两个阶段的分离由第一个出口表的数字标识符指示。所有编号小于第一出口表的表都必须用作入口表,编号大于或等于第一出口表的表不能用作入口表。

Egress processing: Egress processing is the processing that happens after the determination of the output port. It happens in the context of the output port. This stage is optional. If it occurs, it may involve one or more tables. The separation of the two stages is indicated by the numerical identifier of the first egress table. All tables with a number lower than the first egress table must be used as ingress tables, and no table with a number higher than or equal to the first egress table can be used as an ingress table.

 

管道处理总是从第一个流表的入口处理开始;数据包必须首先与流表 0 的流条目进行匹配。根据第一个表中的匹配结果,可以使用其他入口流表。如果入口处理的结果是将数据包转发到输出端口,则OpenFlow交换机可以在该输出端口的上下文中执行出口处理。

Pipeline processing always starts with ingress processing at the first flow table; the packet must be first matched against flow entries of flow Table 0. Other ingress flow tables may be used depending on the outcome of the match in the first table. If the outcome of ingress processing is to forward the packet to an output port, the OpenFlow switch may perform egress processing in the context of that output port.

 

当数据包提交到表进行匹配时,输入由数据包、入口端口的标识、关联的元数据值和关联的操作集组成。对于表 0,元数据值为空,操作集为空。在每个表中,处理过程如下(见图4.6):

When a packet is presented to a table for matching, the input consists of the packet, the identity of the ingress port, the associated metadata value, and the associated action set. For Table 0, the metadata value is blank and the action set is null. At each table, processing proceeds as follows (see Figure 4.6):

 
图像

图 4.6详细说明通过 OpenFlow 交换机的数据包流的简化流程图

FIGURE 4.6 Simplified Flowchart Detailing Packet Flow Through an OpenFlow Switch

 

1.如果除表未命中条目之外的一个或多个条目存在匹配,则该匹配被定义为具有最高优先级的匹配条目。正如前面的讨论中提到的,优先级是表项的一个组成部分,并通过 OpenFlow 设置;优先级由调用 OpenFlow 的用户或应用程序确定。然后可以执行以下步骤:

1. If there is a match on one or more entries, other than the table-miss entry, the match is defined to be with the highest-priority matching entry. As mentioned in the preceding discussion, the priority is a component of a table entry and is set via OpenFlow; the priority is determined by the user or application invoking OpenFlow. The following steps may then be performed:

 

A。更新与此条目关联的所有计数器。

a. Update any counters associated with this entry.

 

b. 执行与此条目相关的任何指令。这可能包括更新操作集、更新元数据值以及执行操作。

b. Execute any instructions associated with this entry. This may include updating the action set, updating the metadata value, and performing actions.

 

C。然后,数据包被转发到管道下游的流表、组表、计量表,或定向到输出端口。

c. The packet is then forwarded to a flow table further down the pipeline, to the group table, to the meter table, or directed to an output port.

 

2.如果仅在表未命中条目上存在匹配,则该表条目可以包含指令,与任何其他条目一样。实际上,表未命中条目指定以下三个操作之一:

2. If there is a match only on a table-miss entry, the table entry may contain instructions, as with any other entry. In practice, the table-miss entry specifies one of three actions:

 

A。将数据包发送到控制器。这将使控制器能够为此数据包和类似数据包定义新流,或决定丢弃该数据包。

a. Send packet to controller. This will enable the controller to define a new flow for this and similar packets, or decide to drop the packet.

 

b. 将数据包定向到管道下游的另一个流表。

b. Direct packet to another flow table farther down the pipeline.

 

C。丢弃数据包。

c. Drop the packet.

 

3.如果任何条目均不匹配且不存在表丢失条目,则丢弃该数据包。

3. If there is no match on any entry and there is no table-miss entry, the packet is dropped.

 

对于管道中的最终表,转发到另一个流表不是一个选项。如果数据包最终被定向到输出端口,则执行累积的操作集,然后将数据包排队等待输出。图 4.7说明了整个入口管道流程。

For the final table in the pipeline, forwarding to another flow table is not an option. If and when a packet is finally directed to an output port, the accumulated action set is executed and then the packet is queued for output. Figure 4.7 illustrates the overall ingress pipeline process.

 
图像

图 4.7通过 OpenFlow 交换机的数据包流:入口处理

FIGURE 4.7 Packet Flow Through an OpenFlow Switch: Ingress Processing

 

如果出口处理与特定输出端口相关联,则在入口处理完成时将数据包定向到输出端口之后,将数据包定向到出口管道的第一流表。出口管道处理以与入口处理相同的方式进行,不同之处在于出口管道末端没有组表处理。出口处理如图4.8所示。

If egress processing is associated with a particular output port, then after a packet is directed to an output port at the completion of the ingress processing, the packet is directed to the first flow table of the egress pipeline. Egress pipeline processing proceeds in the same fashion as for ingress processing, except that there is no group table processing at the end of the egress pipeline. Egress processing is shown in Figure 4.8.

 
图像

图 4.8通过 OpenFlow 交换机的数据包流:出口处理

FIGURE 4.8 Packet Flow Through OpenFlow Switch: Egress Processing

 

多表的使用

The Use of Multiple Tables

 

使用多个表可以实现流的嵌套,或者换句话说,可以将单个流分解为多个并行的子流。图4.9说明了这个属性。在此示例中,表 0 中的条目定义了由从特定源 IP 地址穿越网络到特定目标 IP 地址的数据包组成的流。一旦在这两个端点之间建立了成本最低的路由,这两个端点之间的所有流量都可能会遵循该路由,并且来自该交换机的该路由上的下一跳可以输入到表 0 中。在表 1 中,可以为不同的传输层协议(例如 TCP 和 UDP)定义此流的单独条目。对于这些子流,可以保留相同的输出端口,以便子流都遵循相同的路由。然而,TCP 包含 UDP 通常不具备的复杂拥塞控制机制,因此,在服务质量 (QoS) 相关参数方面以不同方式处理 TCP 和 UDP 子流可能是合理的。表 1 中的任何条目都可以立即将其各自的子流路由到输出端口,但部分或全部条目可能会调用表 2,进一步划分每个子流。该图显示,TCP 子流可以根据 TCP 之上运行的协议进行划分,例如简单邮件传输协议 (SMTP) 或文件传输协议 (FTP)。类似地,UDP 流可以基于 UDP 上运行的协议进行细分,例如简单网络管理协议 (SNMP)。该图还指示了表1和表2中的其他子流程,这些子流程可用于其他目的。

The use of multiple tables enables the nesting of flows, or put another way, the breaking down of a single flow into a number of parallel subflows. Figure 4.9 illustrates this property. In this example, an entry in Table 0 defines a flow consisting of packets traversing the network from a specific source IP address to a specific destination IP address. Once a least-cost route between these two endpoints is established, it might make sense for all traffic between these two endpoints to follow that route, and the next hop on that route from this switch can be entered in Table 0. In Table 1, separate entries for this flow can be defined for different transport layer protocols, such as TCP and UDP. For these subflows, the same output port might be retained so that the subflows all follow the same route. However, TCP includes elaborate congestion control mechanisms not normally found with UDP, so it might be reasonable to handle the TCP and UDP subflows differently in terms of quality of service (QoS)-related parameters. Any of the Table 1 entries could immediately route its respective subflow to the output port, but some or all of the entries may invoke Table 2, further dividing each subflow. The figure shows that the TCP subflow could be divided on the basis of the protocol running on top of TCP, such as Simple Mail Transfer Protocol (SMTP) or File Transfer Protocol (FTP). Similarly, the UDP flow could be subdivided based on protocols running on UDP, such as Simple Network Management Protocol (SNMP). The figure also indicates other subflows at Table 1 and 2, which may be used for other purposes.

 
图像

图 4.9嵌套流示例

FIGURE 4.9 Example of Nested Flows

 

对于此示例,可以在表 0 中定义每个细粒度子流。多个表的使用简化了 SDN 控制器和 OpenFlow 交换机中的处理。应用于聚合流的下一跳等操作可由控制器定义一次,并由交换机检查和执行一次。在任何级别添加新子流程都需要较少的设置。因此,使用管道式多表可以提高网络操作的效率,提供粒度控制,并使网络能够响应应用程序、用户和会话级别的实时变化。

For this example, it would be possible to define each of these fine-grained subflows in Table 0. The use of multiple tables simplifies the processing in both the SDN controller and the OpenFlow switch. Actions such as next hop that apply to the aggregate flow can be defined once by the controller and examined and performed once by the switch. The addition of new subflows at any level involves less setup. Therefore, the use of pipelined, multiple tables increases the efficiency of network operations, provides granular control, and enables the network to respond to real-time changes at the application, user, and session levels.

 

小组表

Group Table

 

在流水线处理过程中,流表可以将数据包流引导到组表而不是另一个流表。组表和组操作使 OpenFlow 能够将一组端口表示为转发数据包的单个实体。提供不同类型的组来表示不同的转发抽象,例如多播和广播。

In the course of pipeline processing, a flow table may direct a flow of packets to the group table rather than another flow table. The group table and group actions enable OpenFlow to represent a set of ports as a single entity for forwarding packets. Different types of groups are provided to represent different forwarding abstractions, such as multicasting and broadcasting.

 

每个组表由许多行组成,称为组条目,由四个部分组成(参见图 4.5的 c 部分):

Each group table consists of a number of rows, called group entries, consisting of four components (refer back to part c of Figure 4.5):

 

图像 组标识符:唯一标识组的 32 位无符号整数。组被定义为组中的条目。

Group identifier: A 32-bit unsigned integer uniquely identifying the group. A group is defined as an entry in the group table.

 

图像 组类型:确定组语义,如下所述。

Group type: To determine group semantics, as explained subsequently.

 

图像 计数器:当数据包被组处理时更新。

Counters: Updated when packets are processed by a group.

 

图像 操作桶:操作桶的有序列表,其中每个操作桶包含一组要执行的操作以及关联的参数。

Action buckets: An ordered list of action buckets, where each action bucket contains a set of actions to execute and associated parameters.

 

每个组包括一组一个或多个操作桶。每个存储桶包含一个操作列表。与流表条目关联的动作集不同,动作集是在每个流表处理数据包时累积的动作列表,而桶中的动作列表是在数据包到达桶时执行的。操作列表按顺序执行,通常以输出操作结束,该操作将数据包转发到指定端口。操作列表也可能以组操作结束,该操作将数据包发送到另一个组。这使得能够链接组以进行更复杂的处理。

Each group includes a set of one or more action buckets. Each bucket contains a list of actions. Unlike the action set associated with a flow table entry, which is a list of actions that accumulate while the packet is processed by each flow table, the action list in a bucket is executed when a packet reaches a bucket. The action list is executed in sequence and generally ends with the Output action, which forwards the packet to a specified port. The action list may also end with the Group action, which sends the packet to another group. This enables the chaining of groups for more complex processing.

 

组被指定为图 4.10中描述的类型之一:全部、选择、快速故障转移和间接。

A group is designated as one of the types depicted in Figure 4.10: all, select, fast failover, and indirect.

 
图像

图 4.10组类型

FIGURE 4.10 Group Types

 

all类型执行组中的所有存储桶。因此,每个到达的数据包都被有效地克隆。通常,每个存储桶都会指定不同的输出端口,以便然后传入的数据包在多个输出端口上传输。该组用于组播或广播转发。

The all type executes all the buckets in the group. Thus, each arriving packet is effectively cloned. Typically, each bucket will designate a different output port, so that the incoming packet is then transmitted on multiple output ports. This group is used for multicast or broadcast forwarding.

 

选择类型基于切换计算的选择算法(例如,某些用户配置的元组上的散列或简单的循环)执行组中的一个存储桶。选择算法应实现相等的负载共享,或者可选地,基于SDN控制器分配的桶权重来实现负载共享。

The select type executes one bucket in the group, based on a switch-computed selection algorithm (for example, hash on some user-configured tuple or simple round-robin). The selection algorithm should implement equal load sharing or, optionally, load sharing based on bucket weights assigned by the SDN controller.

 

快速故障转移类型执行第一个活动存储桶。端口活跃度由 OpenFlow 范围之外的代码管理,可能与路由算法或拥塞控制机制有关。按顺序评估存储桶,并选择第一个活动存储桶。此组类型使交换机能够更改转发,而无需往返控制器。

The fast failover type executes the first live bucket. Port liveness is managed by code outside of the scope of OpenFlow and may have to do with routing algorithms or congestion control mechanisms. The buckets are evaluated in order, and the first live bucket is selected. This group type enables the switch to change forwarding without requiring a round trip to the controller.

 

刚才提到的三种类型都适用于单个数据包流。间接允许多个数据包流(即多个流表条目)指向一个公共组标识符。在某些情况下,这种类型可以让控制器进行更有效的管理。例如,假设有 100 个流条目在 IPv4 目标地址匹配字段中具有相同的匹配值,但在其他匹配字段中不同,但它们都通过在端口上包含操作 Output X 将数据包转发到端口 X。行动清单。我们可以将此操作替换为操作 Group GID,其中 GID 是将数据包转发到端口 X 的间接组条目的 ID。如果 SDN 控制器需要从端口 X 更改为端口 Y,则无需更新所有 100 个流表条目。所需要做的就是更新组条目。

The three just-mentioned types all work with a single packet flow. The indirect type allows multiple packet flows (that is, multiple flow table entries) to point to a common group identifier. This type provides for more efficient management by the controller in certain situations. For example, suppose that there are 100 flow entries that have the same match value in the IPv4 destination address match field, but differ in some other match field, but all of them forward the packet to port X by including the action Output X on the action list. We can instead replace this action with the action Group GID, where GID is the ID of an indirect group entry that forwards the packet to port X. If the SDN controller needs to change from port X to port Y, it is not necessary to update all 100 flow table entries. All that is required is to update the group entry.

 

4.3 开放流协议

4.3 OpenFlow Protocol

 

OpenFlow 协议描述了 OpenFlow 控制器和 OpenFlow 交换机之间发生的消息交换。通常,该协议在 TLS 之上实现,提供安全的 OpenFlow 通道。

The OpenFlow protocol describes message exchanges that take place between an OpenFlow controller and an OpenFlow switch. Typically, the protocol is implemented on top of TLS, providing a secure OpenFlow channel.

 

OpenFlow协议使控制器能够对流表中的流条目执行添加、更新和删除操作。它支持三种类型的消息(见表4.2):

The OpenFlow protocol enables the controller to perform add, update, and delete actions to the flow entries in the flow tables. It supports three types of messages (see Table 4.2):

 
图像
图像

表 4.2 OpenFlow 消息

TABLE 4.2 OpenFlow Messages

 

图像 控制器到交换机:这些消息由控制器发起,在某些情况下,需要交换机的响应。此类消息使控制器能够管理交换机的逻辑状态,包括其配置以及流和组表条目的详细信息。此类中还包括 Packet-out 消息。当交换机将数据包发送到控制器并且控制器决定不丢弃该数据包而是将其定向到交换机输出端口时,该消息由控制器发送到交换机。

Controller to switch: These messages are initiated by the controller and, in some cases, require a response from the switch. This class of messages enables the controller to manage the logical state of the switch, including its configuration and details of flow and group table entries. Also included in this class is the Packet-out message. This message is sent by the controller to a switch when that switch sends a packet to the controller and the controller decides not to drop the packet but to direct it to a switch output port.

 

图像 异步:这些类型的消息是在没有控制器请求的情况下发送的。此类包括发送至控制器的各种状态消息。还包括 Packet-in 消息,当没有流表匹配时,交换机可以使用该消息将数据包发送到控制器。

Asynchronous: These types of messages are sent without solicitation from the controller. This class includes various status messages to the controller. Also included is the Packet-in message, which may be used by the switch to send a packet to the controller when there is no flow table match.

 

图像 对称:这些消息是在未经控制器或交换机请求的情况下发送的。它们简单但很有帮助。当首次建立连接时,Hello 消息通常在控制器和交换机之间来回发送。交换机或控制器可以使用回显请求和回复消息来测量控制器-交换机连接的延迟或带宽,或者只是验证设备是否已启动并正在运行。Experimenter 消息用于暂存要内置到 OpenFlow 未来版本中的功能。

Symmetric: These messages are sent without solicitation from either the controller or the switch. They are simple yet helpful. Hello messages are typically sent back and forth between the controller and switch when the connection is first established. Echo request and reply messages can be used by either the switch or controller to measure the latency or bandwidth of a controller-switch connection or just verify that the device is up and running. The Experimenter message is used to stage features to be built in to future versions of OpenFlow.

 

一般来说,OpenFlow协议为SDN控制器提供了三种用于管理网络的信息:

In general terms, the OpenFlow protocol provides the SDN controller with three types of information to be used in managing the network:

 

图像 基于事件的消息:当链路或端口发生更改时,由交换机发送到控制器。

Event-based messages: Sent by the switch to the controller when a link or port change occurs.

 

图像 流量统计:由交换机根据流量生成。该信息使控制器能够监控流量、根据需要重新配置网络并调整流量参数以满足 QoS 要求。

Flow statistics: Generated by the switch based on traffic flow. This information enables the controller to monitor traffic, reconfigure the network as needed, and adjust flow parameters to meet QoS requirements.

 

图像 封装数据包:由交换机发送到控制器,因为在流表条目中存在发送此数据包的显式操作,或者因为交换机需要建立新流的信息。

Encapsulated packets: Sent by the switch to the controller either because there is an explicit action to send this packet in a flow table entry or because the switch needs information for establishing a new flow.

 

OpenFlow协议使控制器能够管理交换机的逻辑结构,而无需考虑交换机如何实现OpenFlow逻辑架构的细节。

The OpenFlow protocol enables the controller to manage the logical structure of a switch, without regard to the details of how the switch implements the OpenFlow logical architecture.

 

4.4 关键术语

4.4 Key Terms

 

完成本章后,您应该能够定义以下术语。

After completing this chapter, you should be able to define the following terms.

 

行动桶

action bucket

 

行动清单

action list

 

动作组

action set

 

出口表

egress table

 

流动

flow

 

流表

flow table

 

组表

group table

 

入口表

ingress table

 

匹配字段

match fields

 

开放流动作

OpenFlow action

 

OpenFlow指令

OpenFlow instruction

 

开放流消息

OpenFlow message

 

开放流端口

OpenFlow port

 

开放流交换机

OpenFlow switch

 

SDN数据平面

SDN data plane

 

第 5 章SDN 控制平面

Chapter 5. SDN Control Plane

 

因此,贸易控制和指导的组织应当具有完整的性质,以便贸易可以分散在海洋周围,也可以集中在特定航线上;或者有些地方分散,有些地方集中;并且可以在必要时随时从一项政策更改为另一项政策。

The organization for the control and guidance of the trade should therefore be of so complete a character that the trade may be either dispersed about the ocean or concentrated along particular routes; or in some places dispersed and in others concentrated; and that changes from one policy to the other can be made when necessary at any time.

 

—— 《世界危机》,温斯顿·丘吉尔,1923 年

The World Crisis, Winston Churchill, 1923

 

本章目标 学习完本章后,您应该能够

 

图像列出并解释SDN控制平面的关键功能。

 

图像讨论SDN控制器中的路由功能。

 

图像了解 ITU-T Y.3300 分层 SDN 模型。

 

图像概述 OpenDaylight。

 

图像概述 REST。

 

图像比较集中式和分布式 SDN 控制器架构。

 

图像解释 BGP 在 SDN 网络中的作用。

 

Chapter Objectives: After studying this chapter, you should be able to

 

List and explain the key functions of the SDN control plane.

 

Discuss the routing function in the SDN controller.

 

Understand the ITU-T Y.3300 layered SDN model.

 

Present an overview of OpenDaylight.

 

Present an overview of REST.

 

Compare centralized and distributed SDN controller architectures.

 

Explain the role of BGP in an SDN network.

 
 

本章继续我们对软件定义网络(SDN)的研究,重点关注控制平面(见图5.1)。5.1节概述了SDN控制平面架构,讨论了典型SDN控制平面实现的功能和接口能力。接下来,我们总结了 ITU-T 分层 SDN 模型,该模型为控制平面的作用提供了更多见解。接下来是对最重要的开源 SDN 控制器工作之一(称为 OpenDaylight)的描述。然后第 5.4 节描述了 REST 北向接口,该接口在 SDN 实现中已变得很常见。最后,第 5.5 节讨论与多个 SDN 控制器之间的合作和协调相关的问题。

This chapter continues our study of software-defined networking (SDN), focusing on the control plane (see Figure 5.1). Section 5.1 provides an overview of SDN control plane architecture, discussing the functions and interface capabilities of a typical SDN control plane implementation. Next, we summarize the ITU-T layered SDN model, which provides additional insight into the role of the control plane. This is followed by a description of one of the most significant open source SDN controller efforts, known as OpenDaylight. Then Section 5.4 describes the REST northbound interface, which has become common in SDN implementations. Finally, Section 5.5 discusses issues relating to cooperation and coordination among multiple SDN controllers.

 
图像

图 5.1 SDN 架构

FIGURE 5.1 SDN Architecture

 

5.1 SDN控制平面架构

5.1 SDN Control Plane Architecture

 

SDN 控制层将应用层服务请求映射为数据平面交换机的特定命令和指令,并向应用程序提供有关数据平面拓扑和活动的信息。控制层作为服务器或称为 SDN 控制器的协作服务器集来实现。本节概述了控制平面功能。随后,我们将研究控制平面内实施的具体协议和标准。

The SDN control layer maps application layer service requests into specific commands and directives to data plane switches and supplies applications with information about data plane topology and activity. The control layer is implemented as a server or cooperating set of servers known as SDN controllers. This section provides an overview of control plane functionality. Later, we look at specific protocols and standards implemented within the control plane.

 

控制平面功能

Control Plane Functions

 

图 5.2说明了 SDN 控制器执行的功能。该图说明了任何控制器应提供的基本功能,如 Kreutz [ KREU15 ]的论文中所建议的,其中包括以下功能:

Figure 5.2 illustrates the functions performed by SDN controllers. The figure illustrates the essential functions that any controller should provide, as suggested in a paper by Kreutz [KREU15], which include the following:

 
图像

图 5.2 SDN 控制平面功能和接口

FIGURE 5.2 SDN Control Plane Functions and Interfaces

 

图像 最短路径转发:利用从交换机收集的路由信息​​来建立首选路由。

Shortest path forwarding: Uses routing information collected from switches to establish preferred routes.

 

图像 通知管理器:接收、处理并向应用程序转发事件,例如警报通知、安全警报和状态更改。

Notification manager: Receives, processes, and forwards to an application events, such as alarm notifications, security alarms, and state changes.

 

图像 安全机制:在应用程序和服务之间提供隔离和安全实施。

Security mechanisms: Provides isolation and security enforcement between applications and services.

 

图像 拓扑管理器:构建和维护交换机互连拓扑信息。

Topology manager: Builds and maintains switch interconnection topology information.

 

图像 统计管理器:收集通过交换机的流量数据。

Statistics manager: Collects data on traffic through the switches.

 

图像 设备管理器:配置交换机参数和属性,管理流表。

Device manager: Configures switch parameters and attributes and manages flow tables.

 

SDN控制器提供的功能可以被视为网络操作系统(NOS)。与传统操作系统一样,NOS 为开发人员提供基本服务、通用应用程序编程接口 (API) 以及较低层元素的抽象。SDN NOS 的功能(例如前面列出的功能)使开发人员能够定义网络策略并管理网络,而无需关心网络设备特征的细节,这些特征可能是异构的和动态的。随后讨论的北向接口为应用程序开发人员和网络管理员提供了访问SDN服务和执行网络管理任务的统一手段。此外,明确定义的北向接口使开发人员能够创建不仅独立于数据平面细节而且在很大程度上可与各种SDN控制器服务器一起使用的软件。

The functionality provided by the SDN controller can be viewed as a network operating system (NOS). As with a conventional OS, an NOS provides essential services, common application programming interfaces (APIs), and an abstraction of lower-layer elements to developers. The functions of an SDN NOS, such as those in the preceding list, enable developers to define network policies and manage networks without concern for the details of the network device characteristics, which may be heterogeneous and dynamic. The northbound interface, discussed subsequently, provides a uniform means for application developers and network managers to access SDN service and perform network management tasks. Further, well-defined northbound interfaces enable developers to create software that is independent not only of data plane details but to a great extent usable with a variety of SDN controller servers.

 

许多不同的举措(包括商业举措和开源举措)都导致了 SDN 控制器的实施。以下列表描述了一些突出的:

A number of different initiatives, both commercial and open source, have resulted in SDN controller implementations. The following list describes a few prominent ones:

 

图像 OpenDaylight:一个用于网络可编程性的开源平台,以支持 SDN,用 Java 编写。OpenDaylight 由 Cisco 和 IBM 创立,其成员以网络供应商为主。OpenDaylight 可以实现为单个集中式控制器,但使控制器能够分布式,其中一个或多个实例可以在网络中的一台或多台集群服务器上运行。

OpenDaylight: An open source platform for network programmability to enable SDN, written in Java. OpenDaylight was founded by Cisco and IBM, and its membership is heavily weighted toward network vendors. OpenDaylight can be implemented as a single centralized controller, but enables controllers to be distributed where one or multiple instances may run on one or more clustered servers in the network.

 

图像 开放网络操作系统 (ONOS):一种开源 SDN NOS,最初于 2014 年发布。它是由 AT&T 和 NTT 等多家运营商以及其他服务提供商资助和开发的非营利项目。值得注意的是,ONOS 得到了开放网络基金会的支持,这使得 ONOS 很可能成为 SDN 部署的主要因素。ONOS 被设计用作分布式控制器,并提供将网络状态分区和分布到多个分布式控制器上的抽象。

Open Network Operating System (ONOS): An open source SDN NOS, initially released in 2014. It is a nonprofit effort funded and developed by a number of carriers, such as AT&T and NTT, and other service providers. Significantly, ONOS is supported by the Open Networking Foundation, making it likely that ONOS will be a major factor in SDN deployment. ONOS is designed to be used as a distributed controller and provides abstractions for partitioning and distributing network state onto multiple distributed controllers.

 

图像 POX:一个开源的OpenFlow控制器,已经由许多SDN开发人员和工程师实现。POX 拥有编写良好的 API 和文档。它还提供基于 Web 的图形用户界面 (GUI),并使用 Python 编写,与其他一些实现语言(例如 C++)相比,这通常会缩短其实验和开发周期。

POX: An open source OpenFlow controller that has been implemented by a number of SDN developers and engineers. POX has a well written API and documentation. It also provides a web-based graphical user interface (GUI) and is written in Python, which typically shortens its experimental and developmental cycles compared to some other implementation languages, such as C++.

 

图像 Beacon:斯坦福大学开发的开源软件包。用Java编写并高度集成到Eclipse集成开发环境(IDE)中。Beacon 是第一个使初学者程序员能够使用并创建工作 SDN 环境的控制器。

Beacon: An open source package developed at Stanford. Written in Java and highly integrated into the Eclipse integrated development environment (IDE). Beacon was the first controller that made it possible for beginner programmers to work with and create a working SDN environment.

 

图像 Floodlight: Big Switch Networks 开发的开源软件包。虽然它一开始是基于 Beacon 的,但它是使用 Apache Ant 构建的,Apache Ant 是一种非常流行的软件构建工具,它使 Floodlight 的开发变得更加容易和灵活。Floodlight 拥有活跃的社区,并具有大量功能,可以添加这些功能来创建最能满足特定组织要求的系统。基于 Web 和基于 Java 的 GUI 均可用,并且其大部分功能通过 REST API 公开。

Floodlight: An open source package developed by Big Switch Networks. Although its beginning was based on Beacon, it was built using Apache Ant, which is a very popular software build tool that makes the development of Floodlight easier and more flexible. Floodlight has an active community and has a large number of features that can be added to create a system that best meets the requirements of a specific organization. Both a web-based and Java-based GUI are available and most of its functionality is exposed through a REST API.

 

图像 Ryu: NTT Labs 开发的基于组件的开源 SDN 框架。它是开源的,并且完全用 python 开发。

Ryu: An open source component-based SDN framework developed by NTT Labs. It is open sourced and fully developed in python.

 

图像 Onix:另一种分布式控制器,由VMWare、Google和NTT联合开发。Onix 是一款商用 SDN 控制器。

Onix: Another distributed controller, jointly developed by VMWare, Google, and NTT. Onix is a commercially available SDN controller.

 

图像 请参阅第 5.3 节开放日光

See Section 5.3, “Open-Daylight

 

也许这个列表中最重要的控制器是 OpenDaylight,随后在第 5.3 节中进行了描述。

Perhaps the most significant controller on this list is OpenDaylight, described subsequently in Section 5.3.

 

南向接口

Southbound Interface

 

南向接口提供SDN控制器和数据平面交换机之间的逻辑连接(见图5.3)。某些控制器产品和配置仅支持单个南向协议。更灵活的方法是使用南向抽象层,为控制平面功能提供通用接口,同时支持多个南向API。

The southbound interface provides the logical connection between the SDN controller and the data plane switches (see Figure 5.3). Some controller products and configurations support only a single southbound protocol. A more flexible approach is the use of a southbound abstraction layer that provides a common interface for the control plane functions while supporting multiple southbound APIs.

 
图像

图 5.3 SDN 控制器接口

FIGURE 5.3 SDN Controller Interfaces

 

最常用的南向 API 是 OpenFlow,第 4 章SDN 数据平面和 OpenFlow ”中有详细介绍。其他南向接口包括:

The most commonly implemented southbound API is OpenFlow, covered in some detail in Chapter 4, “SDN Data Plane and OpenFlow.” Other southbound interfaces include the following:

 

图像 Open vSwitch 数据库管理协议 (OVSDB): Open vSwitch (OVS) 是一个开源软件项目,它实现了可与几乎所有流行的虚拟机管理程序互操作的虚拟交换。OVS用途OpenFlow 用于在虚拟和物理端口的控制平面中转发消息。OVSDB 是用于管理和配置 OVS 实例的协议。

Open vSwitch Database Management Protocol (OVSDB): Open vSwitch (OVS) an open source software project which implements virtual switching that is interoperable with almost all popular hypervisors. OVS uses OpenFlow for message forwarding in the control plane for both virtual and physical ports. OVSDB is the protocol used to manage and configure OVS instances.

 

图像 转发和控制元素分离 (ForCES): IETF 的一项工作,旨在标准化 IP 路由器的控制平面和数据平面之间的接口。

Forwarding and Control Element Separation (ForCES): An IETF effort that standardizes the interface between the control plane and the data plane for IP routers.

 

图像 协议不经意转发 (POF):这被宣传为 OpenFlow 的增强功能,可将数据平面中的逻辑简化为非常通用的转发元素,无需理解各种协议级别字段的协议数据单元 (PDU)格式。相反,匹配是通过数据包内的(偏移量、长度)块来完成的。有关数据包格式的智能位于控制平面级别。

Protocol Oblivious Forwarding (POF): This is advertised as an enhancement to OpenFlow that simplifies the logic in the data plane to a very generic forwarding element that need not understand the protocol data unit (PDU) format in terms of fields at various protocol levels. Rather, matching is done by means of (offset, length) blocks within a packet. Intelligence about packet format resides at the control plane level.

 

北向接口

Northbound Interface

 

北向接口使应用程序能够访问控制平面功能和服务,而无需了解底层网络交换机的详细信息。北向接口通常被视为软件 API,而不是协议。

The northbound interface enables applications to access control plane functions and services without needing to know the details of the underlying network switches. The northbound interface is more typically viewed as a software API rather than a protocol.

 

与南向和东向/西向接口定义了许多异构接口不同,北向接口没有广泛接受的标准。结果是为各种控制器开发了许多独特的 API,使开发 SDN 应用程序的工作变得复杂。为了解决这个问题,开放网络基金会于 2013 年成立了北向接口工作组 (NBI-WG),其目标是定义和标准化许多广泛有用的北向 API。截至撰写本文时,工作组尚未发布任何标准。

Unlike the southbound and eastbound/westbound interfaces, where a number of heterogeneous interfaces have been defined, there is no widely accepted standard for the northbound interface. The result has been that a number of unique APIs have been developed for various controllers, complicating the effort to develop SDN applications. To address this issue the Open Networking Foundation formed the Northbound Interface Working Group (NBI-WG) in 2013, with the objective of defining and standardizing a number of broadly useful northbound APIs. As of this writing, the working group has not issued any standards.

 

NBI-WG 的一个有用见解是,即使在单个 SDN 控制器实例中,也需要不同“纬度”的 API。也就是说,某些 API 可能比其他 API“更靠北”,并且给定应用程序可能需要访问一个、多个或所有这些不同的 API。

A useful insight of the NBI-WG is that even in an individual SDN controller instance, APIs are needed at different “latitudes.” That is, some APIs may be “further north” than others, and access to one, several, or all of these different APIs could be a requirement for a given application.

 

图 5.4来自 NBI-WG 章程文件(2013 年 10 月),说明了多个 API 纬度的概念。例如,应用程序可能需要一个或多个直接公开控制器功能的 API,以管理网络域,并使用调用驻留在控制器上的分析或报告服务的 API。

Figure 5.4, from the NBI-WG charter document (October 2013), illustrates the concept of multiple API latitudes. For example, an application may need one or more APIs that directly expose the functionality of the controller, to manage a network domain, and use APIs that invoke analytic or reporting services residing on the controller.

 
图像

图 5.4北向接口的纬度

FIGURE 5.4 Latitude of Northbound Interfaces

 

图 5.5显示了具有多个北向 API 级别的架构的简化示例,其级别在下面的列表中进行了描述。

Figure 5.5 shows a simplified example of an architecture with multiple levels of northbound APIs, the levels of which are described in the list that follows.

 
图像

图 5.5 SDN 控制器 API

FIGURE 5.5 SDN Controller APIs

 

图像 基本控制器功能 API:这些 API 公开控制器的基本功能,供开发人员用来创建网络服务。

Base controller function APIs: These APIs expose the basic functions of the controller and are used by developers to create network services.

 

图像 网络服务API:这些API向北公开网络服务。

Network service APIs: These APIs expose network services to the north.

 

图像 北向接口应用程序 API:这些 API 公开构建在网络服务之上的与应用程序相关的服务。

Northbound interface application APIs: These APIs expose application-related services that are built on top of network services.

 

用于定义北向 API 的常见架构风格是表述性状态传输 (REST)。5.4 节讨论 REST。

A common architectural style used for defining northbound APIs is REpresentational State Transfer (REST). Section 5.4 discusses REST.

 

图像 请参阅第 5.4 节休息

See Section 5.4, “REST

 

路由

Routing

 

与任何网络或互联网一样,SDN 网络需要路由功能。一般来说,路由功能包括用于收集有关网络的拓扑和流量状况的信息的协议,以及用于设计通过网络的路由的算法。回想一下第 2 章要求和技术”,路由协议有两类:在自治系统 (AS) 内运行的内部路由器协议 (IRP) 和在自治系统之间运行的外部路由器协议 (ERP)。

As with any network or internet, an SDN network requires a routing function. In general terms, the routing function comprises a protocol for collecting information about the topology and traffic conditions of the network, and an algorithm for designing routes through the network. Recall from Chapter 2, “Requirements and Technology,” that there are two categories of routing protocols: interior router protocols (IRPs) that operate within an autonomous system (AS), and exterior router protocols (ERPs) that operate between autonomous systems.

 

图像 请参见第 2.4 节路由

See Section 2.4, “Routing

 

IRP 涉及发现 AS 内路由器的拓扑,然后根据不同的度量确定到每个目的地的最佳路由。两种广泛使用的 IRP 是开放最短路径优先 (OSPF) 协议和增强型内部网关路由协议 (EIGRP)。ERP 不需要收集那么多详细的交通信息。相反,ERP 的主要关注点是确定 AS 外部网络和终端系统的可达性。因此,ERP 通常仅在将一个 AS 连接到另一个 AS 的边缘节点中执行。边界网关协议 (BGP) 通常用于 ERP。

An IRP is concerned with discovering the topology of routers within an AS and then determining the best route to each destination based on different metrics. Two widely used IRPs are Open Shortest Path First (OSPF) Protocol and Enhanced Interior Gateway Routing Protocol (EIGRP). An ERP need not collect as much detailed traffic information. Rather, the primary concern with an ERP is to determine reachability of networks and end systems outside of the AS. Therefore, the ERP is typically executed only in edge nodes that connect one AS to another. Border Gateway Protocol (BGP) is commonly used for the ERP.

 

传统上,路由功能分布在网络中的路由器之间。每个路由器负责建立网络拓扑的图像。对于内部路由,每个路由器还必须收集有关连接和延迟的信息,然后计算每个 IP 目标地址的首选路由。然而,在SDN控制的网络中,将路由功能集中在SDN控制器内是有意义的。控制器可以开发一致的网络状态视图来计算最短路径,并可以实施应用程序感知的路由策略。数据平面交换机减轻了与路由相关的处理和存储负担,从而提高了性能。

Traditionally, the routing function is distributed among the routers in a network. Each router is responsible for building up an image of the topology of the network. For interior routing, each router as well must collect information about connectivity and delays and then calculate the preferred route for each IP destination address. However, in an SDN-controlled network, it makes sense to centralize the routing function within the SDN controller. The controller can develop a consistent view of the network state for calculating shortest paths, and can implement application-aware routing policies. The data plane switches are relieved of the processing and storage burden associated with routing, leading to improved performance.

 

集中式路由应用程序执行两个不同的功能:链路发现和拓扑管理器。

The centralized routing application performs two distinct functions: link discovery and topology manager.

 

对于链路发现,路由功能需要了解数据平面交换机之间的链路。请注意,在互联网络的情况下,路由器之间的链路是网络,而对于第 2 层交换机(例如以太网交换机),链路是直接物理链路。另外,路由器与主机系统之间、本控制器域内的路由器与相邻域内的路由器之间必须进行链路发现。发现是由从连接的主机或相邻路由器进入控制器网络域的未知流量触发的。

For link discovery, the routing function needs to be aware of links between data plane switches. Note that in the case of an internetwork, the links between routers are networks, whereas for Layer 2 switches, such as Ethernet switches, the links are direct physical links. In addition, link discovery must be performed between a router and a host system and between a router in the domain of this controller and a router in a neighboring domain. Discovery is triggered by unknown traffic entering the controller’s network domain either from an attached host or from a neighboring router.

 

拓扑管理器维护网络的拓扑信息并计算网络中的路由。路由计算涉及确定两个数据平面节点之间或数据平面节点与主机之间的最短路径。

The topology manager maintains the topology information for the network and calculates routes in the network. Route calculation involves determining the shortest path between two data plane nodes or between a data plane node and a host.

 

5.2 ITU-T模型

5.2 ITU-T Model

 

在继续讨论 SDN 控制器设计之前,先了解一下 ITU-T Y.3300 中定义的 SDN 高层架构(见图5.6)。如图 3.3所示,Y.3300 模型由三层或平面组成:应用程序、控制和资源。根据 Y.3300 的定义,应用层是 SDN 应用程序通过定义网络资源的服务感知行为来指定网络服务或业务应用程序的地方。应用程序通过 API 与 SDN 控制层交互,形成应用程序控制接口。应用程序利用 SDN 控制层通过 API 公开的信息和数据模型提供的网络资源的抽象视图。

Before proceeding to a discussion of an SDN controller design, it will be useful to look at the SDN high-level architecture defined in ITU-T Y.3300 (see Figure 5.6). As was depicted in Figure 3.3, the Y.3300 model consists of three layers, or planes: application, control, and resource. As defined in Y.3300, the application layer is where SDN applications specify network services or business applications by defining a service-aware behavior of network resources. The applications interact with the SDN control layer via APIs that form an application-control interface. The applications make use of an abstracted view of the network resources provided by the SDN control layer by means of information and data models exposed via the APIs.

 
图像

图 5.6 SDN 高级架构 (ITU-T Y.3300)

FIGURE 5.6 High-Level Architecture of SDN (ITU-T Y.3300)

 

控制层提供了一种按照应用层的指示动态控制网络资源行为的方法。控制层可以看作具有以下子层:

The control layer provides a means to dynamically control the behavior of network resources, as instructed by the application layer. The control layer can be viewed as having the following sublayers:

 

图像 应用程序支持:为SDN应用程序提供API以访问网络信息并对特定于应用程序的网络行为进行编程。

Application support: Provides an API for SDN applications to access network information and program application-specific network behavior.

 

图像 编排:提供网络资源的自动化控制和管理,协调应用层对网络资源的请求。编排包括物理和虚拟网络拓扑、网络元素、流量控制和其他网络相关方面。

Orchestration: Provides the automated control and management of network resources and coordination of requests from the application layer for network resources. Orchestration encompasses physical and virtual network topologies, network elements, traffic control, and other network-related aspects.

 

图像 抽象:与网络资源交互,提供网络资源的抽象,包括网络能力和特征,以支持物理和虚拟网络资源的管理和编排。这种抽象依赖于标准信息和数据模型,并且独立于底层传输基础设施。

Abstraction: Interacts with network resources, and provides an abstraction of the network resources, including network capabilities and characteristics, to support management and orchestration of physical and virtual network resources. Such abstraction relies upon standard information and data models and is independent of the underlying transport infrastructure.

 

资源由一组互连的数据平面转发元件(交换机)组成。总的来说,这些交换机根据 SDN 控制层做出的决策执行数据包的传输和处理,并通过资源控制接口转发到资源层。大多数这种控制是代表应用程序的。然而,SDN控制层出于性能考虑(例如,流量工程),可以代表其自身执行对资源层的控制。资源层可以看作具有以下子层:

The resource layer consists of an interconnected set of data plane forwarding elements (switches). Collectively, these switches perform the transport and processing of data packets according to decisions made by the SDN control layer and forwarded to the resource layer via the resource-control interface. Most of this control is on behalf of applications. However, the SDN control layer, on its own behalf, may execute control of the resource layer for the sake of performance (for example, traffic engineering). The resource layer can be viewed as having the following sublayers:

 

图像 控制支持:通过资源控制接口支持资源层功能的可编程性。

Control support: Supports programmability of resource-layer functions via the resource-control interface.

 

图像 数据传输和处理:提供数据转发和数据路由功能。

Data transport and processing: Provides data forwarding and data routing functions.

 

SDN 设计理念旨在最大限度地减少数据交换机的复杂性和处理负担。因此,我们可以预期,许多(如果不是大多数)商用SDN交换机将配备单个南向接口,例如OpenFlow,以简化实施和配置。但不同的交换机可能支持不同的控制器南向接口。因此,SDN控制器应该支持数据平面的多种协议和接口,并且能够将所有这些接口抽象为统一的网络模型以供应用层使用。

The SDN design philosophy seeks to minimize the complexity and processing burden on the data switches. Accordingly, we can expect that many, if not most, of the commercial SDN switches will be equipped with a single southbound interface, such as OpenFlow, for simplicity of implementation and configuration. But different switches may support different southbound interfaces to the controller. Therefore, the SDN controller should support multiple protocols and interfaces to the data plane and be able to abstract all of these interfaces to a uniform network model to be used the application layer.

 

5.3 开放日光

5.3 OpenDaylight

 

OpenDaylight 项目是一个由 Linux 基金会主办的开源项目,几乎所有主要网络组织都参与其中,其中包括 SDN 技术的用户和 SDN 产品的供应商。该项目的目标不是制定新标准,而是在 OpenFlow 等现有标准之上创建一个可扩展的开源虚拟网络平台。OpenDaylight的方法是让行业参与者聚集在一起,协作开发核心开源模块,参与者可以围绕这些模块添加独特的价值。目标是建立一个通用且开放的 SDN 平台,供开发人员利用、贡献和构建商业产品和技术。

The OpenDaylight Project is an open source project hosted by the Linux Foundation and includes the involvement of virtually every major networking organization, including users of SDN technology and vendors of SDN products. Rather than hammer out new standards, the project aims to produce an extensible, open source, virtual networking platform atop such existing standards as OpenFlow. The approach of OpenDaylight is to enable industry participants to come together to develop core open source modules collaboratively, around which participants can add unique value. The goal is a common and open SDN platform for developers to utilize, contribute to, and build commercial products and technologies upon.

 
图像

日光开放

OpenDaylight

 

值得详细研究 OpenDaylight,因为它可以让读者很好地了解典型 SDN 控制器的功能范围。

It is worthwhile to examine OpenDaylight in some detail, as it gives the reader a good idea of the scope of functionality of a typical SDN controller.

 

开放日光架构

OpenDaylight Architecture

 

图 5.7提供了 OpenDaylight 架构的顶层视图。它由五个逻辑层组成,如下列表中进一步描述。

Figure 5.7 provides a top-level view of the OpenDaylight architecture. It consists of five logical layers, as further described in the list that follows.

 
图像

图 5.7 OpenDaylight 架构

FIGURE 5.7 OpenDaylight Architecture

 

图像 网络应用程序、编排和服务:由控制和监视网络行为的业务和网络逻辑应用程序组成。这些应用程序使用控制器收集网络情报,运行算法来执行分析,然后使用控制器在整个网络中编排新规则(如果有)。

Network applications, orchestration, and services: Consists of business and network logic applications that control and monitor network behavior. These applications use the controller to gather network intelligence, run algorithms to perform analytics, and then use the controller to orchestrate the new rules, if any, throughout the network.

 

图像 API: OpenDaylight 控制器功能的一组通用接口。OpenDaylight 支持开放服务网关计划 (OSGi)框架和北向 API 的双向 REST。OSGi 框架用于与控制器在同一地址空间中运行的应用程序,而 REST(基于 Web)API 用于不在同一地址空间(甚至不一定在同一台机器上)运行的应用程序作为控制器。

APIs: A set of common interfaces to OpenDaylight controller functions. OpenDaylight supports the Open Service Gateway Initiative (OSGi) framework and bidirectional REST for the northbound API. The OSGi framework is used for applications that will run in the same address space as the controller, while the REST (web-based) API is used for applications that do not run in the same address space (or even necessarily on the same machine) as the controller.

 

图像 控制器功能和服务: SDN控制平面功能和服务。

Controller functions and services: SDN control plane functions and services.

 

图像 服务抽象层(SAL):提供数据平面资源的统一视图,使得控制平面功能的实现可以独立于具体的南向接口和协议。

Service abstraction layer (SAL): Provides a uniform view of data plane resources, so that control plane functions can be implemented independent of the specific southbound interface and protocol.

 

图像 南向接口和协议:支持OpenFlow、其他标准南向协议和供应商特定接口。

Southbound interfaces and protocols: Supports OpenFlow, other standard southbound protocols, and vendor-specific interfaces.

 

OpenDaylight 架构有几个值得注意的方面。首先,OpenDaylight 包含控制平面和应用程序平面功能。因此,OpenDaylight 不仅仅是一个 SDN 控制器实现。这使得企业和电信网络管理者能够在自己的服务器上托管开源软件来构建 SDN 配置。供应商可以使用该软件来创建具有增值附加应用平面功能和服务的产品。

There are several noteworthy aspects to the OpenDaylight architecture. First, OpenDaylight encompasses both control plane and application plane functionality. Thus, OpenDaylight is more than just an SDN controller implementation. This enables enterprise and telecommunications network managers to host open source software on their own servers to construct an SDN configuration. Vendors can use this software to create products with value-added additional application plane functions and services.

 

OpenDaylight 设计的第二个重要方面是它不依赖于 OpenFlow 或任何其他特定的南向接口。这为构建SDN网络配置提供了更大的灵活性。该设计的关键要素是SAL,它使控制器能够在南向接口上支持多种协议,并为控制器功能和SDN应用提供一致的服务。图5.8说明了 SAL 的操作。OSGi 框架为可用的南向协议提供动态链接插件。这些协议的功能被抽象为功能集合,控制平面服务可以通过 SAL 中的服务管理器调用这些功能。服务管理器维护一个将服务请求映射到功能请求的注册表。根据服务请求,SAL 映射到适当的插件,从而使用最合适的南向协议与给定的网络设备进行交互。

A second significant aspect of the OpenDaylight design is that it is not tied to OpenFlow or any other specific southbound interface. This provides greater flexibility in constructing SDN network configurations. The key element in this design is the SAL, which enables the controller to support multiple protocols on the southbound interface and provide consistent services for controller functions and for SDN applications. Figure 5.8 illustrates the operation of the SAL. The OSGi framework provides for dynamically linking plug-ins for the available southbound protocols. The capabilities of these protocols are abstracted to a collection of features that can be invoked by control plane services via a services manager in the SAL. The services manager maintains a registry that maps service requests to feature requests. Based on the service request, the SAL maps to the appropriate plug-in and thus uses the most appropriate southbound protocol to interact with a given network device.

 
图像

图 5.8服务抽象层模型

FIGURE 5.8 Service Abstraction Layer Model

 

OpenDaylight 项目的重点是软件套件的模块化、可插拔性和灵活性。所有代码均用 Java 实现,并包含在其自己的 Java 虚拟机 (JVM) 中。因此,它可以部署在任何支持 Java 的硬件和操作系统平台上。

The emphasis in the OpenDaylight project is that the software suite be modular, pluggable, and flexible. All of the code is implemented in Java and is contained within its own Java Virtual Machine (JVM). As such, it can be deployed on any hardware and operating system platform that supports Java.

 

开放日光氦气

OpenDaylight Helium

 

在撰写本文时,OpenDaylight 的最新版本是 Helium 版本,如图 5.9所示。控制器平台(不包括也可以在控制器上运行的应用程序)由越来越多的动态可插拔模块组成,每个模块执行一个或多个与 SDN 相关的功能和服务。有五个模块被视为基本网络服务功能,可能包含在任何 OpenDaylight 实现中,如下列表中所述。

At the time of this writing, the most recent release of OpenDaylight is the Helium release, illustrated in Figure 5.9. The controller platform (exclusive of applications, which may also run on the controller) consists of a growing collection of dynamically pluggable modules, each of which performs one or more SDN-related functions and services. Five modules are considered base network service functions, likely to be included in any OpenDaylight implementation, as described in the list that follows.

 
图像

图 5.9 OpenDaylight 结构(氦气)

FIGURE 5.9 OpenDaylight Structure (Helium)

 

图像 拓扑管理器:通过订阅节点添加、删除及其互连事件来学习网络布局的服务。需要网络视图的应用程序可以使用此服务。

Topology manager: A service for learning the network layout by subscribing to events of node addition and removal and their interconnection. Applications requiring network view can use this service.

 

图像 统计管理器:收集交换机相关的统计信息,包括流量统计、节点连接器和队列占用情况。

Statistics manager: Collects switch-related statistics, including flow statistics, node connector, and queue occupancy.

 

图像 交换机管理器:保存数据平面设备的详细信息。当发现交换机时,其属性(例如,它是什么交换机/路由器、软件版本、功能)由交换机管理器存储在数据库中。

Switch manager: Holds the details of the data plane devices. As a switch is discovered, its attributes (for example, what switch/router it is, software version, capabilities) are stored in a database by the switch manager.

 

图像 转发规则管理器:安装路由并跟踪下一跳信息。与交换机管理器和拓扑管理器结合使用来注册和维护网络流状态。使用此功能的应用程序不需要了解网络设备的详细信息。

Forwarding rules manager: Installs routes and tracks next-hop information. Works in conjunction with switch manager and topology manager to register and maintain network flow state. Applications using this need not have visibility of network device specifics.

 

图像 主机跟踪器:跟踪和维护有关连接主机的信息。

Host tracker: Tracks and maintains information about connected hosts.

 

为了增强这些基础服务,开发了许多其他模块,以实现更复杂和功能丰富的控制器,如表 5.1中所述。

To augment these base services, a number of other modules have been developed to enable implementation of more sophisticated and feature-rich controllers, as described in Table 5.1.

 
图像
图像
图像
图像

表 5.1 OpenDaylight 模块

TABLE 5.1 OpenDaylight Modules

 

5.4 休息

5.4 REST

 

表述性状态传输 (REST)是一种用于定义 API 的架构风格。这已经成为构建SDN控制器北向API的标准方式。REST API 或RESTful API (遵守 REST 的约束)不是协议、语言或既定标准。API 必须遵循 RESTful 本质上的六个约束。这些约束的目的是最大化软件交互的可扩展性和独立性/互操作性,并提供构建 API 的简单方法。

REpresentational State Transfer (REST) is an architectural style used to define APIs. This has become a standard way of constructing northbound APIs for SDN controllers. A REST API, or an API that is RESTful (adheres to the constraints of REST) is not a protocol, language, or established standard. It is essentially six constraints that an API must follow to be RESTful. The objective of these constraints is to maximize the scalability and independence/interoperability of software interactions, and to provide for a simple means of constructing APIs.

 

休息约束

REST Constraints

 

REST 假定基于 Web 访问的概念用于 API 两侧的应用程序和服务之间的交互。REST 不定义 API 的细节,而是对应用程序和服务之间交互的性质施加约束。六个 REST 约束如下:

REST assumes that the concepts of web-based access are used for interaction between the application and the service that are on either side of the API. REST does not define the specifics of the API but imposes constraints on the nature of the interaction between application and service. The six REST constraints are as follows:

 

图像客户端服务器

Client-server

 

图像无国籍

Stateless

 

图像缓存

Cache

 

图像统一接口

Uniform interface

 

图像分层系统

Layered system

 

图像按需编码

Code on demand

 

以下各节更详细地介绍了这些限制。

The sections that follow cover these constraints in more detail.

 
客户端-服务器约束
 

这个简单的约束规定应用程序和服务器之间的交互采用客户端-服务器请求/响应样式。为此约束定义的原则是将用户界面问题与数据存储问题分开。这种分离允许客户端和服务器组件独立发展,并支持服务器端功能向多个平台的可移植性。

This simple constraint dictates that interaction between application and server is in the client-server request/response style. The principle defined for this constraint is the separation of user interface concerns from data storage concerns. This separation allows client and server components to evolve independently and supports the portability of server-side functions to multiple platforms.

 
无状态约束
 

无状态约束规定从客户端到服务器的每个请求都必须包含理解该请求所需的所有信息,并且不能利用服务器上任何存储的上下文。同样,来自服务器的每个响应都必须包含该请求所需的所有信息。一个结果是事务的任何“内存”都保持在完全保存在客户端的会话状态中。由于服务器不保留客户端状态的任何记录,因此 SDN 控制器更加高效。另一个结果是,如果客户端和服务器驻留在不同的机器上,因此通过协议进行通信,则该协议不需要是面向连接的。

The stateless constraint dictates that each request from a client to a server must contain all the information necessary to understand the request and cannot take advantage of any stored context on the server. Similarly, each response from the server must contain all the desired information for that request. One consequence is that any “memory” of a transaction is maintained in a session state kept entirely on the client. Because the server does not retain any record of the client state, the result is a more efficient SDN controller. Another consequence is that if the client and server reside on different machines, and therefore communicate via a protocol, that protocol need not be connection oriented.

 

REST 通常在超文本传输​​协议 (HTTP) 上运行,这是一种无状态协议。

REST typically runs over Hypertext Transfer Protocol (HTTP), which is a stateless protocol.

 
缓存约束
 

高速缓存约束要求对请求的响应中的数据隐式或显式标记为可高速缓存或不可高速缓存。如果响应是可缓存的,则客户端缓存有权为以后的等效请求重用该响应数据。也就是说,客户端被授予记住该数据的权限,因为该数据不太可能在服务器端发生更改。因此,后续对相同数据的请求可以在客户端本地处理,减少客户端和服务器之间的通信开销,减轻服务器的处理负担。

The cache constraint requires that the data within a response to a request be implicitly or explicitly labeled as cacheable or noncacheable. If a response is cacheable, then a client cache is given the right to reuse that response data for later, equivalent requests. That is, the client is given permission to remember this data because the data is not likely to change on the server side. Therefore, subsequent requests for the same data can be handled locally at the client, reducing communication overhead between client and server, and reducing the server’s processing burden.

 
统一接口约束
 

REST 强调组件之间的统一接口,无论使用 REST 实现的特定客户端-服务器应用程序 API 是什么。这使得控制器服务能够独立发展,并为 SDN 控制器提供商提供使用来自不同供应商的软件组件来实现控制器的能力。

REST emphasizes a uniform interface between components, regardless of the specific client-server application API implemented using REST. This enables controller services to evolve independently and provides the ability for an SDN controller provider to use software components from various vendors to implement the controller.

 

为了获得统一的接口,REST定义了四个接口约束:

To obtain a uniform interface, REST defines four interface constraints:

 

图像 资源标识:使用资源标识符(例如 URI)来标识各个资源。

Identification of resources: Individual resources are identified using a resource identifier (for example, a URI).

 

图像 通过表示操作资源:资源以 JSON、XML 或 HTML 等格式表示。

Manipulation of resources through representations: Resources are represented in a format like JSON, XML, or HTML.

 

图像 自描述消息:每条消息都有足够的信息来描述如何处理该消息。

Self-descriptive messages: Each message has enough information to describe how the message is to be processed.

 

图像 超媒体作为应用程序状态的引擎:客户端不需要先了解如何与服务器交互,因为API不是固定的,而是由服务器动态提供的。

Hypermedia as the engine of the application state: A client needs no prior knowledge of how to interact with a server, because the API is not fixed but dynamically provided by the server.

 

REST 风格强调通过有限数量的操作(动词)来增强客户端和服务之间的交互。通过为资源(名词)分配自己唯一的统一资源标识符(URI)来提供灵活性。由于每个动词都有特定的含义(GET、POST、PUT 和 DELETE),因此 REST 避免了歧义。

The REST style emphasizes that interactions between clients and services is enhanced by having a limited number of operations (verbs). Flexibility is provided by assigning resources (nouns) their own unique Uniform Resource Identifier (URI). Because each verb has a specific meaning (GET, POST, PUT, and DELETE), REST avoids ambiguity.

 

对于 SDN 环境,此约束的好处是不同的应用程序(可能用不同的语言编写)可以通过 REST API 调用相同的控制器服务。

The benefit of this constraint, for an SDN environment is that different applications, perhaps written in different languages, can invoke the same controller service via a REST API.

 
分层系统约束
 

分层系统约束简单地意味着给定的功能是分层组织的,每一层仅与紧邻其上层和下层的层直接交互。这是一种相当标准的协议架构、操作系统设计和系统服务设计的架构方法。

The layered system constraint simply means that a given function is organized in layers, with each layer only having direct interaction with the layers immediately above and below. This is a fairly standard architecture approach for protocol architectures, OS design, and system services design.

 
按需编码约束
 

REST 允许通过下载和执行小程序或脚本形式的代码来扩展客户端功能。这通过减少需要预先实现的功能数量来简化客户端。允许在部署后下载功能提高了系统的可扩展性。

REST allows client functionality to be extended by downloading and executing code in the form of applets or scripts. This simplifies clients by reducing the number of features required to be pre-implemented. Allowing features to be downloaded after deployment improves system extensibility.

 

REST API 示例

Example REST API

 

要了解 REST API 的结构,查看示例很有用。在本节中,我们讨论 Ryu SDN 网络操作系统北向接口的 REST API。Ryu 中特定的 API 交换机管理器服务功能旨在提供对 OpenFlow 交换机的访问。

To get a feel for the structure of a REST API, it is useful to look at an example. In this section, we discuss a REST API for the northbound interface of the Ryu SDN network operating system. The particular API switch manager service function in Ryu is designed to provide access to OpenFlow switches.

 

交换机管理器可以代表应用程序执行的每个功能都分配有一个 URI。例如,考虑该函数来获取特定交换机的组表中所有条目的描述。该开关的该函数的 URI 如下:

Each function that can be performed by the switch manager on behalf of an application is assigned a URI. For example, consider the function to get a description of all the entries in the group table of a particular switch. The URI for this function for this switch is as follows:

 

/统计/组/ < dpid >

/stats/group/<dpid>

 

其中 stats(统计)是指用于检索和更新交换机统计信息和参数的 API 集,group 是函数名称,<dpid> 数据路径 ID)是交换机的唯一标识符。要调用交换机 1 的函数,应用程序通过 REST API 向交换机管理器发出以下命令:

where stats (statistic) refers to the set of APIs for retrieving and updating switch statistics and parameters, group is the name of the function, and <dpid> (data path ID) is the unique identifier of the switch. To invoke the function for switch 1, the application issues the following command to the switch manager across the REST API:

 

获取http://localhost:8080/stats/groupdesc/1

GET http://localhost:8080/stats/groupdesc/1

 

此命令的localhost部分指示应用程序Ryu NOS 在同一服务器上运行。如果应用程序是远程的,则 URI 将是通过 HTTP 和 Web 提供远程访问的 URL。交换机管理器使用一条消息响应此命令,该消息的消息正文包括 dpid,然后是一系列值块,每个值块对应交换机 dpid 中定义的一组。数值如下:

The localhost portion of this command indicates that the application is running on the same server as the Ryu NOS. If the application were remote, the URI would be a URL that provides remote access via HTTP and the web. The switch manager responds to this command with a message whose message body includes the dpid then a sequence of blocks of values, one for each group defined in the switch dpid. The values are as follows:

 

图像 类型:全部、选择、快速故障转移或间接(参见第 4.2 节)。

type: All, select, fast failover, or indirect (see Section 4.2).

 

图像 group_id:组表中条目的标识符。

group_id: Identifier of an entry in the group table.

 

图像 存储桶:由以下子字段组成的结构化字段:

buckets: A structured field consisting of the following subfields:

 

图像 重量:铲斗的相对重量(仅适用于选择类型)。

weight: Relative weight of bucket (only for select type).

 

图像 watch_port:其状态影响此存储桶是否处于活动状态的端口(仅快速故障转移组需要)。

watch_port: Port whose state affects whether this bucket is live (only required for fast failover groups).

 

图像 watch_group:其状态影响此存储桶是否处于活动状态的组(仅快速故障转移组需要)。

watch_group: Group whose state affects whether this bucket is live (only required for fast failover groups).

 

图像 actions:动作列表,可能为空。

actions: A list, possibly null, of actions.

 

消息正文的存储桶部分对于每个组表条目重复一次。

The buckets portion of the message body is repeated, once for each group table entry.

 

表 5.2列出了使用 GET 消息类型检索交换机统计信息和参数的所有 API 函数。还有几个函数使用 POST 消息类型,其中请求消息正文包含必须匹配的参数列表。

Table 5.2 lists all the API functions for retrieving switch statistics and parameters that use the GET message type. There are also several functions that use the POST message type, in which the request message body includes a list of parameters that must be matched.

 
图像
图像

表 5.2使用 GET 检索交换机统计信息的 Ryu REST API

TABLE 5.2 Ryu REST APIs for Retrieving Switch Statistics Using GET

 

交换机管理器API还提供更新交换机参数的功能。这些都使用POST消息类型。在这种情况下,请求消息正文包括要更新的参数及其值。表 5.3列出了更新 API 函数。

The switch manager API also provides functions for updating switch parameters. These all use the POST message type. In this case, the request message body includes the parameters and their values to be updated. Table 5.3 lists the update API functions.

 
图像

表 5.3用于更新使用 POST 按字段过滤的交换机统计信息的 Ryu REST API

TABLE 5.3 Ryu REST APIs for Update Switch Statistics Filtered by Fields Using POST

 

5.5 控制者之间的合作与协调

5.5 Cooperation and Coordination Among Controllers

 

除了北向和南向接口之外,典型的 SDN 控制器还将具有东向/西向接口,用于与其他 SDN 控制器和其他网络进行通信。到目前为止,开源或标准化的东西方协议或接口还没有取得重大进展。本节调查与东/西行接口相关的关键设计问题。

In addition to northbound and southbound interfaces, a typical SDN controller will have an east/westbound interface that enables communication with other SDN controllers and other networks. As yet, there has been no significant progress on open source or standardized east/west protocols or interfaces. This section surveys key design issues related to the east/westbound interface.

 

集中式控制器与分布式控制器

Centralized Versus Distributed Controllers

 

关键的架构设计决策是使用单个集中式控制器还是一组分布式控制器来控制数据平面交换机。集中控制器是管理网络中所有数据平面交换机的单个服务器。

A key architectural design decision is whether a single centralized controller or a distributed set of controllers will be used to control the data plane switches. A centralized controller is a single server that manages all the data plane switches in the network.

 

在大型企业网络中,部署单个控制器来管理所有网络设备将被证明是笨拙或不可取的。更可能的情况是,大型企业或运营商网络的运营商将整个网络划分为多个不重叠的SDN域,也称为SDN孤岛(图5.10 ,由分布式控制器进行管理。使用 SDN 域的原因包括以下列表中的内容。

In a large enterprise network, the deployment of a single controller to manage all network devices would prove unwieldy or undesirable. A more likely scenario is that the operator of a large enterprise or carrier network divides the whole network into a number of nonoverlapping SDN domains, also called SDN islands (Figure 5.10), managed by distributed controllers. Reasons for using SDN domains include those in the list that follows.

 
图像

图 5.10 SDN 域结构

FIGURE 5.10 SDN Domain Structure

 

图像 可扩展性:SDN控制器可以管理的设备数量是有限的。因此,一个相当大的网络可能需要部署多个SDN控制器。

Scalability: The number of devices an SDN controller can feasibly manage is limited. Therefore, a reasonably large network may need to deploy multiple SDN controllers.

 

图像 可靠性:使用多个控制器避免了单点故障的风险。

Reliability: The use of multiple controllers avoids the risk of a single point of failure.

 

图像 隐私:运营商可以选择在不同的SDN域中实施不同的隐私策略。例如,SDN 域可能专用于一组实施自己高度定制的隐私策略的客户,要求该域中的某些网络信息(例如网络拓扑)不应向外部实体公开。

Privacy: A carrier may choose to implement different privacy policies in different SDN domains. For example, an SDN domain may be dedicated to a set of customers who implement their own highly customized privacy policies, requiring that some networking information in this domain (for example, network topology) should not be disclosed to an external entity.

 

图像 增量部署:运营商的网络可能由传统和非传统基础设施的一部分组成。将网络划分为多个可单独管理的SDN域,可以实现灵活的增量部署。

Incremental deployment: A carrier’s network may consist of portions of legacy and nonlegacy infrastructure. Dividing the network into multiple individually manageable SDN domains allows for flexible incremental deployment.

 

分布式控制器可以配置在小区域内,也可以广泛分散,或者两者的组合。紧密放置的控制器可提供高吞吐量,适合数据中心,而分散的控制器则适用于多位置网络。

Distributed controllers may be collocated in a small area, or widely dispersed, or a combination of the two. Closely placed controllers offer high throughput and are appropriate for data centers, whereas dispersed controllers accommodate multilocation networks.

 

通常,控制器水平分布。也就是说,每个控制器管理数据平面交换机的非重叠子集。垂直架构也是可能的,其中控制任务根据网络视图和位置要求等标准分配给不同的控制器。

Typically, controllers are distributed horizontally. That is, each controller governs a nonoverlapping subset of the data plane switches. A vertical architecture is also possible, in which control tasks are distributed to different controllers depending on criteria such as network view and locality requirements.

 

在分布式架构中,控制器之间的通信需要协议。原则上,专有协议可用于此目的,尽管出于互操作性的目的,开放或标准协议显然更可取。

In a distributed architecture, a protocol is needed for communication among the controllers. In principle, a proprietary protocol could be used for this purpose, although an open or standard protocol would clearly be preferable for purposes of interoperability.

 

与分布式架构的东/西向接口相关的功能包括维护网络拓扑和参数的分区或复制数据库,以及监控/通知功能。后一个功能包括检查控制器是否处于活动状态并协调控制器的交换机分配变化。

The functions associated with the east/westbound interface for a distributed architecture include maintaining either a partitioned or replicated database of network topology and parameters, and monitoring/notification functions. The latter function includes checking whether a controller is alive and coordinating changes in assignment of switches to controllers.

 

高可用集群

High-Availability Clusters

 

在单个域内,控制器功能可以在高可用性(HA)集群上实现。通常,会有两个或更多节点共享一个 IP 地址,外部系统(北向和南向)使用该地址来访问集群。一个示例是 IBM SDN for Virtual Environments 产品,它使用两个节点。每个节点都被视为集群中其他节点的对等节点,用于数据复制和共享外部 IP 地址。当 HA 运行时,主节点负责应答发送到集群外部 IP 地址的所有流量,并保存配置数据的读/写副本。同时,第二个节点作为备用节点运行,具有配置数据的只读副本,该副本与主节点的副本保持最新。辅助节点监视外部 IP 的状态。如果辅助节点确定主节点不再应答外部IP,它触发故障转移,将其模式更改为主节点模式。它承担应答外部 IP 的责任,并将其配置数据的副本更改为可读/写。如果旧的主数据库重新建立连接,则会有一个自动恢复过程触发器将旧的主数据库转换为辅助状态,以便在故障转移期间所做的配置更改不会丢失。

Within a single domain, the controller function can be implemented on a high-availability (HA) cluster. Typically, there would be two or more nodes that share a single IP address that is used by external systems (both north and southbound) to access the cluster. An example is the IBM SDN for Virtual Environments product, which uses two nodes. Each node is considered a peer of the other node in the cluster for data replication and sharing of the external IP address. When HA is running, the primary node is responsible for answering all traffic that is sent to the cluster’s external IP address and holds a read/write copy of the configuration data. Meanwhile, the second node operates as a standby, with a read-only copy of the configuration data, which is kept current with the primary’s copy. The secondary node monitors the state of the external IP. If the secondary node determines that the primary node is no longer answering the external IP, it triggers a failover, changing its mode to that of primary node. It assumes the responsibility for answering the external IP and changes its copy of configuration data to be read/write. If the old primary reestablishes connectivity, there is an automatic recovery process trigger to convert the old primary to secondary status so that configuration changes that are made during the failover period are not lost.

 

ODL Helium 具有内置 HA,Cisco XNC 和开放网络控制器具有 HA 功能(集群中最多五个)。

ODL Helium has HA built in, and Cisco XNC and the Open Network controller have HA features (up to five in a cluster).

 

联合SDN网络

Federated SDN Networks

 

前面几段中讨论的分布式SDN架构是指属于单个企业网络的SDN域系统。这些域可以并置或位于单独的站点上。无论哪种情况,所有数据平面交换机的管理都在单个网络管理功能的控制之下。

The distributed SDN architecture discussed in the preceding paragraphs refers to a system of SDN domains that are all part of a single enterprise network. The domains may be collocated or on separate sites. In either case, the management of all the data plane switches is under the control of a single network management function.

 

由不同组织拥有和管理的SDN网络也可以使用东/西向协议进行协作。图 5.11是 SDN 控制器间合作潜力的示例。

It is also possible for SDN networks that are owned and managed by different organizations to cooperate using east/westbound protocols. Figure 5.11 is an example of the potential for inter-SDN controller cooperation.

 
图像

图 5.11 SDN 控制器联合 [GUPT14]

FIGURE 5.11 Federation of SDN Controllers [GUPT14]

 

在此配置中,我们有许多服务订阅者到数据中心网络提供基于云的服务。通常,如图 1.3所示,订户通过接入网络、分发网络和核心网络的层次结构连接到服务网络。这些中间网络可能全部由数据中心网络运营,也可能涉及其他组织。在后一种情况下,如果所有网络都实现SDN,则它们需要共享通用约定来共享控制平面参数,例如服务质量(QoS)、策略信息和路由信息。

In this configuration, we have a number of service subscribers to a data center network providing cloud-based services. Typically, as was illustrated previously in Figure 1.3, subscribers are connected to the service network through a hierarchy of access, distribution, and core networks. These intermediate networks may all be operated by the data center network, or they may involve other organizations. In the latter case, if all the networks implement SDN, they need to share common conventions for share control plane parameters, such as quality of service (QoS), policy information, and routing information.

 

边界网关协议

Border Gateway Protocol

 

在继续讨论之前,先概述一下边界网关协议 (BGP)。BGP 是为与使用 TCP/IP 套件的互联网结合使用而开发的,尽管这些概念适用于任何互联网。BGP 已成为Internet 的首选外部路由器协议 (ERP) 。

Before proceeding further with our discussion, it will be useful to provide an overview of the Border Gateway Protocol (BGP). BGP was developed for use in conjunction with internets that use the TCP/IP suite, although the concepts are applicable to any internet. BGP has become the preferred exterior router protocol (ERP) for the Internet.

 

BGP 使不同自治系统中的路由器(标准中称为网关)能够协作交换路由信息。该协议按照通过 TCP 连接发送的消息进行操作。BGP 的当前版本称为 BGP-4。

BGP enables routers, called gateways in the standard, in different autonomous systems to cooperate in the exchange of routing information. The protocol operates in terms of messages, which are sent over TCP connections. The current version of BGP is known as BGP-4.

 

BGP 涉及三个功能过程:

Three functional procedures are involved in BGP:

 

图像邻居获取

Neighbor acquisition

 

图像邻居可达性

Neighbor reachability

 

图像网络可达性

Network reachability

 

如果两个路由器连接到同一网络或通信链路,则它们被视为邻居。如果它们连接到同一网络,则相邻路由器之间的通信可能需要通过共享网络内的其他路由器的路径。如果两个路由器位于不同的自治系统中,它们可能想要交换路由信息。为此,首先需要进行邻居获取。术语邻居指共享同一网络的两个路由器。本质上,当不同自治系统中的两个相邻路由器同意定期交换路由信息时,就会发生邻居获取。需要正式的获取过程,因为其中一台路由器可能不想参与。例如,路由器可能负担过重,并且可能不想负责来自 AS 外部的流量。在邻居获取过程中,一个路由器向另一路由器发送请求消息,另一路由器可以接受或拒绝该提议。该协议没有解决一个路由器如何知道另一台路由器的地址甚至是否存在的问题,也没有解决它如何决定需要与该特定路由器交换路由信息的问题。

Two routers are considered to be neighbors if they are attached to the same network or communication link. If they are attached to the same network, communication between the neighbor routers might require a path through other routers within the shared network. If the two routers are in different autonomous systems, they may want to exchange routing information. For this purpose, it is necessary first to perform neighbor acquisition. The term neighbor refers to two routers that share the same network. In essence, neighbor acquisition occurs when two neighboring routers in different autonomous systems agree to exchange routing information regularly. A formal acquisition procedure is needed because one of the routers may not want to participate. For example, the router may be overburdened and may not want to be responsible for traffic coming in from outside the AS. In the neighbor acquisition process, one router sends a request message to the other, which may either accept or refuse the offer. The protocol does not address the issue of how one router knows the address or even the existence of another router, nor how it decides that it needs to exchange routing information with that particular router. These issues must be dealt with at configuration time or by active intervention of a network manager.

 

为了执行邻居获取,一台路由器向另一台路由器发送 Open 消息。如果目标路由器接受该请求,它将返回一条 Keepalive 消息作为响应。

To perform neighbor acquisition, one router sends an Open message to another. If the target router accepts the request, it returns a Keepalive message in response.

 

一旦建立了邻居关系,就使用邻居可达性过程来维持该关系。每个伙伴都需要确保另一个伙伴仍然存在并且仍然处于邻居关系中。为此,两个路由器定期向对方发出 Keepalive 消息。

Once a neighbor relationship is established, the neighbor reachability procedure is used to maintain the relationship. Each partner needs to be assured that the other partner still exists and is still engaged in the neighbor relationship. For this purpose, the two routers periodically issue Keepalive messages to each other.

 

BGP 指定的最后一个过程是网络可达性。每个路由器都维护一个它可以到达的网络的数据库以及到达每个网络的首选路由。每当对此数据库进行更改时,路由器都会发出更新消息,该消息将广播到与其具有邻居关系的所有其他路由器。由于更新消息是广播的,因此所有 BGP 路由器都可以建立并维护其路由信息。

The final procedure specified by BGP is network reachability. Each router maintains a database of the networks that it can reach and the preferred route for reaching each network. Whenever a change is made to this database, the router issues an Update message that is broadcast to all other routers for which it has a neighbor relationship. Because the Update message is broadcast, all BGP routers can build up and maintain their routing information.

 

域之间的路由和 QoS

Routing and QoS Between Domains

 

对于控制器域外的路由,控制器与每个相邻路由器建立 BGP 连接。图 5.12说明了仅通过非 SDN AS 链接的两个 SDN 域的配置。

For routing outside a controller’s domain, the controller establishes a BGP connection with each neighboring router. Figure 5.12 illustrates a configuration with two SDN domains that are linked only through a non-SDN AS.

 
图像

图 5.12具有 OpenFlow 和非 OpenFlow 域的异构自治系统

FIGURE 5.12 Heterogeneous Autonomous Systems with OpenFlow and Non-OpenFlow Domains

 

在非SDN AS内,OSPF用于内部路由。SDN域中不需要OSPF;相反,使用南向协议将必要的路由信息​​从每个数据平面交换机报告给集中控制器(在此案例,OpenFlow)。各个SDN域和AS之间通过BGP来交换信息,例如:

Within the non-SDN AS, OSPF is used for interior routing. OSPF is not needed in an SDN domain; rather, the necessary routing information is reported from each data plane switch to the centralized controller using a southbound protocol (in this case, OpenFlow). Between each SDN domain and the AS, BGP is used to exchange information, such as the following:

 

图像 可达性更新:可达性信息的交换有利于SDN域间的路由。这允许单个流穿越多个SDN,并且每个控制器可以选择网络中最合适的路径。

Reachability update: Exchange of reachability information facilitates inter-SDN domain routing. This allows a single flow to traverse multiple SDNs and each controller can select the most appropriate path in the network.

 

图像 流设置、拆卸和更新请求:控制器协调流设置请求,其中包含跨多个 SDN 域的路径要求、QoS 等信息。

Flow setup, tear-down, and update requests: Controllers coordinate flow setup requests, which contain information such as path requirements, QoS, and so on, across multiple SDN domains.

 

图像 能力更新:除了域内可用的系统和软件能力之外,控制器还交换有关网络相关能力的信息,例如带宽、QoS 等。

Capability Update: Controllers exchange information on network-related capabilities such as bandwidth, QoS and so on, in addition to system and software capabilities available inside the domain.

 

关于图 5.12,还有几个值得注意的点:

Several additional points are worth observing with respect to Figure 5.12:

 

图像该图将每个 AS 描述为包含互连路由器的云,如果是 SDN 域,还包含控制器。云代表一个互联网,因此任何两个路由器之间的连接都是互联网内的网络。类似地,两个相邻自治系统之间的连接是一个网络,该网络可以是两个相邻自治系统之一的一部分,或者是单独的网络。

The figure depicts each AS as a cloud containing interconnected routers and, in the case of an SDN domain, a controller. The cloud represents an internet, so that the connection between any two routers is a network within the internet. Similarly, the connection between two adjacent autonomous systems is a network, which may be part of one of the two adjacent autonomous systems, or a separate network.

 

图像对于SDN域来说,BGP功能是在SDN控制器而不是数据平面路由器中实现的。这是因为控制器负责管理拓扑并做出路由决策。

For an SDN domain, the BGP function is implemented in the SDN controller rather than a data plane router. This is because the controller is responsible for managing the topology and making routing decisions.

 

图像该图显示了自治系统 1 和 3 之间的 BGP 连接。这些网络可能不是由单个网络直接连接的。然而,如果两个SDN域是单个SDN系统的一部分,或者如果它们是联合的,则可能需要交换额外的SDN相关信息。

The figure shows a BGP connection between autonomous systems 1 and 3. It may be that these networks are not directly connected by a single network. However, if the two SDN domains are part of a single SDN system, or if they are federated, it may be desirable to exchange additional SDN-related information.

 

使用 BGP 进行 QoS 管理

Using BGP for QoS Management

 

AS间互连的常见做法是仅尽力而为互连。即自治系统之间的流量转发没有流量类别区分,没有任何转发保证。网络提供商通常会在 AS 入口路由器处将任何 IP 数据包流量类别标记重置为零(尽力而为的标记),从而消除任何流量差异。一些提供商在入口处执行更高层的分类来猜测转发要求并匹配其 AS 内部 QoS 转发策略。跨域流量没有可以依赖的标准化的类集、没有标准化的标记(类编码),也没有标准化的转发行为。然而 RFC 4594(DiffServ 服务类配置指南,2006 年 8 月)规定一组与此参数相关的“最佳实践”。QoS 策略决策由网络提供商独立且不协调地制定。此一般性声明不涵盖现有的个别协议,这些协议确实提供基于质量的互连和严格的 QoS 保证。然而,此类基于服务水平协议(SLA)的协议具有双边或多边性质,并且不提供一般“优于尽力而为”互连的手段。

A common practice for inter-AS interconnection is a best-effort interconnection only. That is, traffic forwarding between autonomous systems is without traffic class differentiation and without any forwarding guarantee. It is common for network providers to reset any IP packet traffic class markings to zero, the best-effort marking, at the AS ingress router, which eliminates any traffic differentiation. Some providers perform higher-layer classification at the ingress to guess the forwarding requirements and to match on their AS internal QoS forwarding policy. There is no standardized set of classes, no standardized marking (class encoding), and no standardized forwarding behavior, that cross-domain traffic could rely on. However RFC 4594 (Configuration Guidelines for DiffServ Service Classes, August 2006) provides a set of “best practices” related to this parameters. QoS policy decisions are taken by network providers independently and in an uncoordinated fashion. This general statement does not cover existing individual agreements, which do offer quality-based interconnection with strict QoS guarantees. However, such service level agreement (SLA)-based agreements are of bilateral or multilateral nature and do not offer a means for a general “better than best effort” interconnection.

 

IETF 目前正在研究使用 BGP 进行 QoS 标记的标准化方案(BGP QoS 标记扩展社区,draft-knoll-idr-qos-attribute-12,2015 年 7 月 10 日)。同时,SDN 提供商利用 BGP 的可扩展性实现了自己的功能。无论哪种情况,使用 BGP 的不同域中的 SDN 控制器之间的交互都将涉及图 5.13中所示和下面的列表中描述的步骤。

IETF is currently at work on a standardized scheme for QoS marking using BGP (BGP Extended Community for QoS Marking, draft-knoll-idr-qos-attribute-12, July 10, 2015). Meanwhile, SDN providers have implemented their own capabilities using the extensible nature of BGP. In either case, the interaction between SDN controllers in different domains using BGP would involve the steps illustrated in Figure 5.13 and described in the list that follows.

 
图像

图 5.13 东西向连接建立、路由和流设置

FIGURE 5.13 East-West Connection Establishment, Route, and Flow Setup

 

1. SDN控制器必须配置BGP能力以及相邻BGP入口的位置信息。

1. The SDN controller must be configured with BGP capability and with information about the location of neighboring BGP entices.

 

2. BGP 由控制器内的启动或激活事件触发。

2. BGP is triggered by a start or activation event within the controller.

 

3.控制器中的BGP 实体尝试与每个相邻BGP 实体建立TCP 连接。

3. The BGP entity in the controller attempts to establish a TCP connection with each neighboring BGP entity.

 

4. TCP 连接建立后,控制器的 BGP 实体与邻居交换 Open 消息。使用 Open 消息交换能力信息。

4. Once a TCP connection is established, the controller’s BGP entity exchanges Open messages with the neighbor. Capability information is exchanged with using the Open messages.

 

5.交换随着 BGP 连接的建立而完成。

5. The exchange completes with the establishment of a BGP connection.

 

6.更新消息用于交换NLRI(网络层可达性信息),指示通过该实体可以到达哪些网络。可达性信息用于选择 SDN 控制器之间最合适的数据路径。通过 NLRI 参数获得的信息用于更新控制器的路由信息​​库 (RIB)。这反过来又使控制器能够在数据平面交换机中设置适当的流信息。

6. Update messages are used to exchange NLRI (network layer reachability information), indicating what networks are reachable via this entity. Reachability information is used in the selection of the most appropriate data path between SDN controllers. Information obtained through NLRI parameter is used to update the controller’s Routing Information Base (RIB). This in turn enables the controller to set the appropriate flow information in the data plane switches.

 

7. Update消息还可以用于交换QoS信息,例如可用容量。

7. The Update message can also be used to exchange QoS information, such as available capacity.

 

8.当基于 BGP 进程决策有不止一条可用路径时,进行路由选择。一旦路径建立,数据包就可以在两个 SDN 域之间成功穿越。

8. Route selection is done when more than one path is available based on BGP process decision. Once the path is established packets can traverse successfully between two SDN domains.

 

IETF SDNi

IETF SDNi

 

IETF 制定了一份规范草案,定义了协调流设置和跨多个域交换可达性信息的通用要求,称为 SDNi(SDNi:跨多个域的软件定义网络的消息交换协议,draft-yin-sdn-sdni-00 .txt,2012 年 6 月 27 日)。SDNi 规范没有定义东/西向 SDN 协议,而是提供了开发此类协议时使用的一些基本原则。

IETF has developed a draft specification that defines common requirements to coordinate flow setup and exchange reachability information across multiple domains, referred to as SDNi (SDNi: A Message Exchange Protocol for Software Defined Networks across Multiple Domains, draft-yin-sdn-sdni-00.txt, June 27, 2012). The SDNi specification does not define an east/westbound SDN protocol but rather provides some of the basic principles to be used in developing such a protocol.

 

该文档中定义的 SDNi 功能包括以下内容:

SDNi functionality, as defined in the document, includes the following:

 

图像协调由应用程序发起的流设置,包含跨多个 SDN 域的路径要求、QoS 和服务级别协议等信息。

Coordinate flow setup originated by applications, containing information such as path requirement, QoS, and service level agreements across multiple SDN domains.

 

图像交换可达性信息以促进 SDN 间路由。这将允许单个流穿越多个 SDN,并让每个控制器在多个此类路径可用时选择最合适的路径。

Exchange reachability information to facilitate inter-SDN routing. This will allow a single flow to traverse multiple SDNs and have each controller select the most appropriate path when multiple such paths are available.

 

SDNi 取决于每个域中不同控制器可用和管理的可用资源和功能的类型。因此,以描述性和开放的方式实现 SDNi 非常重要,以便支持不同类型控制器提供的新功能。由于 SDN 本质上允许创新,因此控制器之间交换的数据本质上是动态的,这一点很重要;也就是说,应该有一些元数据交换,使 SDNi 能够交换有关未知能力的信息。

SDNi depends on the types of available resources and capabilities available and managed by the different controllers in each domain. Therefore, it is important to implement SDNi in a descriptive and open manner so that new capabilities offered by different types of controllers will be supported. Because SDN in essence allows for innovation, it is important that data exchanged between controllers will be dynamic in nature; that is, there should be some metadata exchange that will allow SDNi to exchange information about unknown capabilities.

 

SDNi的消息类型暂定包括以下几种:

The message types for SDNi tentatively include the following:

 

图像可达性更新

Reachability update

 

图像流建立/拆除/更新请求(包括应用能力要求,如QoS、数据速率、延迟等)

Flow setup/teardown/update request (including application capability requirement such as QoS, data rate, latency, and so on)

 

图像能力更新(包括网络相关的能力,例如数据速率和QoS,以及域内可用的系统和软件能力)

Capability update (including network-related capabilities, such as data rate and QoS, and system and software capabilities available inside the domain)

 

开放日光 SNDi

OpenDaylight SNDi

 

OpenDaylight 架构中包含 SDNi 功能,用于连接网络中的多个 OpenDaylight 联合控制器并在它们之间共享拓扑信息。此功能似乎与 SDNi 功能的 IETF 规范兼容。可部署在 OpenDaylight 控制器上的 SDNi 应用程序由三个组件组成,如图5.14所示并在下面的列表中进行描述。

Included in the OpenDaylight architecture is an SDNi capability for connecting multiple OpenDaylight federated controllers in a network and sharing topology information among them. This capability appears to be compatible with the IETF specification for an SDNi function. The SDNi application deployable on an OpenDaylight controller consists of three components, as illustrated in Figure 5.14 and described in the list that follows.

 
图像

图 5.14 OpenDaylight 结构中的 SDNi 组件(氦气)

FIGURE 5.14 SDNi Components in OpenDaylight Structure (Helium)

 

图像 SDNi 聚合器:北向 SDNi 插件充当聚合器,用于收集拓扑、统计数据和主机标识符等网络信息。该插件可以不断发展以满足跨联合 SDN 控制器共享网络数据的需求。

SDNi aggregator: Northbound SDNi plug-in acts as an aggregator for collecting network information such as topology, statistics, and host identifiers. This plug-in can evolve to meet the needs for network data requested to be shared across federated SDN controllers.

 

图像 SDNi REST API: SDNi REST API 从北向插件(SDNi 聚合器)获取聚合信息。

SDNi REST API: SDNi REST APIs fetch the aggregated information from the northbound plug-in (SDNi aggregator).

 

图像 SDNi 包装器: SDNi BGP 包装器负责与联合控制器共享信息和从联合控制器收集信息。

SDNi wrapper: SDNi BGP wrapper is responsible for the sharing and collecting information to/from federated controllers.

 

图 5.15显示了组件的相互关系,并更详细地了解了 SDNi 包装器。SDNi 聚合器代表通过 REST API 的请求从基础网络服务功能收集统计数据和参数。包装器的核心是边界网关协议 (BGP) 的 OpenDaylight 实现。BGP 是一种适用于在连接 SDN 域的路由器之间交换路由信息的 ERP。

Figure 5.15 shows the interrelationship of the components, with a more detailed look at the SDNi wrapper. The SDNi aggregator collects statistics and parameters from the base network service functions, on behalf of requests via the REST API. The heart of the wrapper is an OpenDaylight implementation of the Border Gateway Protocol (BGP). BGP is an ERP suitable for exchanging routing information between routers that connect SDN domains.

 
图像

图 5.15 OpenDaylight SDNi 包装器

FIGURE 5.15 OpenDaylight SDNi Wrapper

 

5.6 关键术语

5.6 Key Terms

 

完成本章后,您应该能够定义以下术语。

After completing this chapter, you should be able to define the following terms.

 

边界网关协议 (BGP)

Border Gateway Protocol (BGP)

 

集中控制器

centralized controller

 

分布式控制器

distributed controller

 

东/西向接口

east/westbound interface

 

外部路由器协议 (ERP)

exterior router protocol (ERP)

 

内部路由器协议 (IRP)

interior router protocol (IRP)

 

邻居收购

neighbor acquisition

 

邻居可达性

neighbor reachability

 

网络操作系统(NOS)

network operating system (NOS)

 

网络可达性

network reachability

 

北向接口

northbound interface

 

开放服务网关计划 (OSGi)

Open Service Gateway Initiative (OSGi)

 

日光开放

OpenDaylight

 

开放流

OpenFlow

 

表述性状态转移 (REST)

REpresentational State Transfer (REST)

 

宁静的

RESTful

 

路由

routing

 

Ryu

 

SDN控制平面

SDN control plane

 

SDNi

SDNi

 

服务抽象层(SAL)

service abstraction layer (SAL)

 

南向接口

southbound interface

 

统一资源标识符 (URI)

Uniform Resource Identifier (URI)

 

5.7 参考文献

5.7 References

 

GUPT14 Gupta, D. 和 Jahan, R。SDN 控制器间通信:使用边界网关协议。塔塔咨询服务白皮书,2014 年。http ://www.tcs.com

GUPT14: Gupta, D., and Jahan, R. Inter-SDN Controller Communication: Using Border Gateway Protocol. Tata Consultancy Services White Paper, 2014. http://www.tcs.com.

 

KREU15 Kreutz,D.,等人。“软件定义网络:全面调查。” IEEE 会议录,2015 年 1 月。

KREU15: Kreutz, D., et al. “Software-Defined Networking: A Comprehensive Survey.” Proceedings of the IEEE, January 2015.

 

第 6 章SDN 应用平面

Chapter 6. SDN Application Plane

 

现代世界的生活越来越依赖技术通信手段。如果没有这些技术援助,现代城邦就不可能存在,因为只有通过它们,贸易和商业才能进行。商品和服务可以在需要的地方分发;铁路能够按计划运行;维持法律和秩序;教育是可能的。沟通使真正的社会生活变得可行,因为沟通意味着组织。

Life in the modern world is coming to depend more and more upon technical means of communication. Without such technical aids the modern city-state could not exist, for it is only by means of them that trade and business can proceed; that goods and services can be distributed where needed; that railways can run on schedule; that law and order are maintained; that education is possible. Communication renders true social life practicable, for communication means organization.

 

—— 《论人际交往》,科林·切里

On Human Communication, Colin Cherry

 

本章目标 学习完本章后,您应该能够

 

图像概述 SDN 应用平面架构。

 

图像定义网络服务抽象层。

 

图像列出并解释 SDN 中的三种抽象形式。

 

图像列出并描述 SDN 感兴趣的六个主要应用领域。

 

Chapter Objectives: After studying this chapter, you should be able to

 

Present an overview of the SDN application plane architecture.

 

Define the network services abstraction layers.

 

List and explain three forms of abstraction in SDN.

 

List and describe six major application areas of interest for SDN.

 
 

软件定义网络 (SDN) 网络方法的强大之处在于它为网络应用程序提供监控和管理网络行为的支持。SDN控制平面提供了促进网络应用快速开发和部署的功能和服务。

The power of the software-defined networking (SDN) approach to networking is in the support it provides for network applications to monitor and manage network behavior. The SDN control plane provides the functions and services that facilitate rapid development and deployment of network applications.

 

尽管 SDN 数据和控制平面已得到明确定义,但对于应用平面的性质和范围的共识却少之又少。应用平面至少包括一些网络应用,即专门处理网络管理和控制的应用。没有商定的此类应用程序集,甚至没有商定的此类应用程序类别。此外,应用层可以包括通用网络抽象工具和服务,它们也可以被视为控制平面功能的一部分。

While the SDN data and control planes are well defined, there is much less agreement on the nature and scope of the application plane. At minimum, the application plane includes a number of network applications—that is, applications that specifically deal with network management and control. There is no agreed-upon set of such applications or even categories of such applications. Further, the application layer may include general-purpose network abstraction tools and services that might also be viewed as part of the functionality of the control plane.

 

考虑到这些限制,本章概述了 SDN 应用平面。6.1 节首先概述了 SDN 应用平面架构。6.2 节着眼于该架构的一个关键组件,即网络服务抽象层。其余部分着眼于 SDN 可支持的六个主要应用领域。这些部分还描述了许多具体示例。选择这些示例是为了让读者了解可以从 SDN 基础设施中受益的应用程序范围。

With these limitations in mind, this chapter provides an overview of the SDN application plane. Section 6.1 begins with an overview of the SDN application plane architecture. Section 6.2 looks at a key component of that architecture, the network services abstraction layer. The remaining sections look at six major application areas that can be supported by SDN. These sections also describe a number of specific examples. The examples were chosen to give the reader a feel for the range of applications that can benefit from an SDN infrastructure.

 

6.1 SDN应用面架构

6.1 SDN Application Plane Architecture

 

应用平面包含定义、监视和控制网络资源和行为的应用程序和服务。这些应用程序通过应用程序控制接口与SDN控制平面交互,以便SDN控制层自动定制网络资源的行为和属性。SDN 应用程序的编程利用 SDN 控制层通过应用程序控制接口公开的信息和数据模型提供的网络资源的抽象视图。

The application plane contains applications and services that define, monitor, and control network resources and behavior. These applications interact with the SDN control plane via application-control interfaces, for the SDN control layer to automatically customize the behavior and the properties of network resources. The programming of an SDN application makes use of the abstracted view of network resources provided by the SDN control layer by means of information and data models exposed via the application-control interface.

 

本节概述了应用程序平面功能,如图6.1所示。该图中的元素是通过自下而上的方法进行分析的,后续部分提供了特定应用领域的详细信息。

This section provides an overview of application plane functionality, depicted in Figure 6.1. The elements in this figure are analyzed through a bottom-up approach, and subsequent sections provide detail on specific application areas.

 
图像

图 6.1 SDN 应用平面功能和接口

FIGURE 6.1 SDN Application Plane Functions and Interfaces

 

北向接口

Northbound Interface

 

如第 5 章SDN 控制平面”中所述,北向接口使应用程序能够访问控制平面功能和服务,而无需了解底层网络交换机的详细信息。通常,北向接口提供由SDN控制平面中的软件控制的网络资源的抽象视图。

As described in Chapter 5, “SDN Control Plane,” the northbound interface enables applications to access control plane functions and services without needing to know the details of the underlying network switches. Typically, the northbound interface provides an abstract view of network resources controlled by the software in the SDN control plane.

 

如图6.1所示,北向接口可以是本地接口,也可以是远端接口。对于本地接口,SDN 应用程序与控制平面软件(控制器网络操作系统)在同一服务器上运行。或者,应用程序可以在远程系统上运行,北向接口是将应用程序连接到在中央服务器上运行的控制器网络操作系统(NOS)的协议或应用程序编程接口(API)。两种架构都有可能得到实施。

Figure 6.1 indicates that the northbound interface can be a local or remote interface. For a local interface, the SDN applications are running on the same server as the control plane software (controller network operating system). Alternatively, the applications could be run on remote systems and the northbound interface is a protocol or application programming interface (API) that connects the applications to the controller network operating system (NOS) running on central server. Both architectures are likely to be implemented.

 

北向接口的一个示例是 Ryu SDN 网络操作系统的 REST API,如第 5.4 节所述。

An example of a northbound interface is the REST API for the Ryu SDN network operating system, described in Section 5.4.

 

网络服务抽象层

Network Services Abstraction Layer

 

RFC 7426 定义了控制平面和应用平面之间的网络服务抽象层,并将其描述为提供可由应用程序和服务使用的服务抽象的层。该层在 SDN 架构中的放置提出了几个功能概念:

RFC 7426 defines a network services abstraction layer between the control and application planes and describes it as a layer that provides service abstractions that can be used by applications and services. Several functional concepts are suggested by the placement of this layer in the SDN architecture:

 

图像该层可以提供网络资源的抽象视图,隐藏底层数据平面设备的详细信息。

This layer could provide an abstract view of network resources that hides the details of the underlying data plane devices.

 

图像该层可以提供控制平面功能的通用视图,以便可以编写可在一系列控制器网络操作系统上运行的应用程序。

This layer could provide a generalized view of control plane functionality, so that applications could be written that would operate across a range of controller network operating systems.

 

图像此功能类似于将应用程序与底层操作系统和底层硬件分离的虚拟机管理程序或虚拟机监视器的功能。

This functionality is similar to that of a hypervisor or virtual machine monitor that decouples applications from the underlying OS and underlying hardware.

 

图像该层可以提供网络虚拟化功能,允许底层数据平面基础设施的不同视图。

This layer could provide a network virtualization capability that allows different views of the underlying data plane infrastructure.

 

可以说,网络服务抽象层可以被视为北向接口的一部分,其功能合并在控制平面或应用平面中。

Arguably, the network services abstraction layer could be considered to be part of the northbound interface, with the functionality incorporated in the control plane or the application plane.

 

已经开发了各种各样的方案,大致属于这一层,全面的处理超出了我们的范围。6.2 节提供了几个例子以便更好地理解。

A wide range of schemes have been developed that roughly fall into this layer, and a full treatment is beyond our scope. Section 6.2 provides several examples for a better understanding.

 

网络应用

Network Applications

 

SDN 可以实现许多网络应用程序。不同的已发表的 SDN 调查得出了不同的列表,甚至基于 SDN 的网络应用的不同一般类别。图 6.1包括涵盖大多数 SDN 应用程序的六个类别。本章后面的部分提供了每个领域的概述。

There are many network applications that could be implemented for an SDN. Different published surveys of SDN have come up with different lists and even different general categories of SDN-based network applications. Figure 6.1 includes six categories that encompass the majority of SDN applications. Later sections of this chapter provide an overview of each area.

 

用户界面

User Interface

 

用户界面使用户能够在SDN应用程序中配置参数并与支持用户交互的应用程序进行交互。同样,有两种可能的接口。与SDN应用服务器(可能包括也可能不包括控制平面)并置的用户可以使用服务器的键盘/显示器。更典型地,用户将通过网络或通信设施登录到应用服务器。

The user interface enables a user to configure parameters in SDN applications and to interact with applications that support user interaction. Again, there are two possible interfaces. A user that is collocated with the SDN application server (which may or may not include the control plane) can use the server’s keyboard/display. More typically, the user would log on to the application server over a network or communications facility.

 

6.2 网络服务抽象层

6.2 Network Services Abstraction Layer

 

在讨论的上下文中,抽象是指对较高级别可见的模型较低级别的详细信息量。更多的抽象意味着更少的细节;更少的抽象意味着更多的细节。抽象层是一种将高级请求转换为执行该请求所需的低级命令的机制。API 就是这样一种机制。它屏蔽了较高级别软件的较低抽象级别的实现细节。网络抽象表示网络实体(例如交换机、链路、端口和流)的基本属性或特征,这样网络程序就可以专注于所需的功能,而无需对详细操作进行编程。

In the context of the discussion, abstraction refers to the amount detail about lower levels of the model that is visible to higher levels. More abstraction means less detail; less abstraction means more detail. An abstraction layer is a mechanism that translates a high-level request into the low-level commands required to perform the request. An API is one such mechanism. It shields the implementation details of a lower level of abstraction from software at a higher level. A network abstraction represents the basic properties or characteristics of network entities (such as switches, links, ports, and flows) is such a way that network programs can focus on the desired functionality without having to program the detailed actions.

 

SDN 中的抽象

Abstractions in SDN

 

开放网络基金会 (ONF) 董事会成员兼 OpenFlow 研究员 Scott Shenker 指出,SDN 可以通过三个基本抽象来定义 [SHEN11]:转发、分发和规范,如图6.2所示,并在后续各节中进一步描述。

Scott Shenker, an Open Networking Foundation (ONF) board member and OpenFlow researcher, indicates that SDN can be defined by three fundamental abstractions [SHEN11]: forwarding, distribution, and specification, as illustrated in Figure 6.2 and described further in the sections that follow.

 
图像

图 6.2 SDN 架构和抽象

FIGURE 6.2 SDN Architecture and Abstractions

 
转发抽象
 

转发抽象允许控制程序指定数据平面转发行为,同时隐藏底层交换硬件的细节。该抽象支持数据平面转发功能。通过从转发硬件中抽象出来,它提供了灵活性和供应商中立性。

The forwarding abstraction allows a control program to specify data plane forwarding behavior while hiding details of the underlying switching hardware. This abstraction supports the data plane forwarding function. By abstracting away from the forwarding hardware, it provides flexibility and vender neutrality.

 

图像 请参见第 4.1 节SDN 数据平面”、第 4.2节“ OpenFlow 逻辑网络设备

See Sections 4.1, “SDN Data Plane,” 4.2, “OpenFlow Logical Network Device

 

OpenFlow API 是转发抽象的一个示例。

The OpenFlow API is an example of a forwarding abstraction.

 
分布抽象
 

这种抽象出现在分布式控制器的背景下。一组协作的分布式控制器维护网络的状态描述和通过网络的路由。整个网络的分布式状态可能涉及分区数据集(控制器实例交换路由信息)或复制数据集,因此控制器必须合作以维护全局网络的一致视图。

This abstraction arises in the context of distributed controllers. A cooperating set of distributed controllers maintains a state description of the network and routes through the networks. The distributed state of the entire network may involve partitioned data sets, with controller instances exchanging routing information, or a replicated data set, so that the controllers must cooperate to maintain a consistent view of the global network.

 

这种抽象旨在隐藏复杂的分布式机制(目前在许多网络中使用)并将状态管理与协议设计和实现分开。它允许通过带注释的网络图提供网络的单一连贯全局视图,该网络图可通过 API 进行控制。这种抽象的实现是 NOS,例如 OpenDaylight 或 Ryu。

This abstraction aims at hiding complex distributed mechanisms (used today in many networks) and separating state management from protocol design and implementation. It allows providing a single coherent global view of the network through an annotated network graph accessible for control via an API. An implementation of such an abstraction is an NOS, such as OpenDaylight or Ryu.

 
规范抽象
 

分布抽象提供了网络的全局视图,就好像有一个中央控制器一样,即使使用多个协作控制器也是如此。然后,规范抽象提供了全局网络的抽象视图。此视图为应用程序提供了足够的详细信息来指定目标,例如路由或安全策略,而不提供实现目标所需的信息。Shenker [SHEN11] 的演讲将这些抽象总结如下:

The distribution abstraction provides a global view of the network as if there is a single central controller, even if multiple cooperating controllers are used. The specification abstraction then provides an abstract view of the global network. This view provides just enough detail for the application to specify goals, such as routing or security policy, without providing the information needed to implement the goals. The presentation by Shenker [SHEN11] summarizes these abstractions as follows:

 

图像 转发接口:一种抽象转发模型,可保护高层免受转发硬件的影响。

Forwarding interface: An abstract forwarding model that shields higher layers from forwarding hardware.

 

图像 分发接口:全局网络视图,保护高层免受状态传播/收集的影响。

Distribution interface: A global network view that shields higher layers from state dissemination/collection.

 

图像 规范接口:一个抽象的网络视图,使应用程序免受物理网络细节的影响。

Specification interface: An abstract network view that shields application program from details of physical network.

 

图6.3是规范抽象的一个简单示例。物理网络是互连的SDN数据平面交换机的集合。抽象视图是单个虚拟交换机。物理网络可以由单个SDN域组成。连接到其他域和主机的边缘交换机上的端口将映射到虚拟交换机上的端口。在应用程序级别,可以执行模块来学习主机的媒体访问控制(MAC)地址。当先前未知的主机发送数据包时,应用程序模块可以将该地址与输入端口相关联,并将直接到该主机的未来流量引导到该端口。同样,如果数据包到达目标地址未知的虚拟交换机端口之一,模块会将该数据包洪泛到所有输出端口。

Figure 6.3 is a simple example of a specification abstraction. The physical network is a collection of interconnected SDN data plane switches. The abstract view is a single virtual switch. The physical network may consist of a single SDN domain. Ports on edge switches that connect to other domains and to hosts are mapped into ports on the virtual switch. At the application level, a module can be executed to learn the media access control (MAC) address of hosts. When a previously unknown host sends a packet, the application module can associate that address with the input port and direct future traffic direct to this host to this port. Similarly, if a packet arrives at one of the virtual switch ports with an unknown destination address, the module floods that packet to all output ports. The abstraction layer translates these actions into actions on the entire physical network, performing the internal forwarding with the domain.

 
图像

图 6.3用于 MAC 学习的交换结构虚拟化

FIGURE 6.3 Virtualization of a Switching Fabric for MAC Learning

 

狂热的

Frenetic

 

网络服务抽象层的一个例子是编程语言 Frenetic。Frenetic 使网络运营商能够对整个网络进行编程,而不是手动配置各个网络元素。Frenetic 旨在通过使用网络级别的抽象来解决使用基于 OpenFlow 的模型的挑战,而不是直接深入到网络元素级别的 OpenFlow。

An example of a network services abstraction layer is the programming language Frenetic. Frenetic enables networks operators to program the network as a whole instead of manually configuring individual network elements. Frenetic was designed to solve challenges with the use of OpenFlow-based models by working with an abstraction at the network level as opposed to OpenFlow, which directly goes down to the network element level.

 

Frenetic 包含一种嵌入式查询语言,可为读取网络状态提供有效的抽象。该语言与 SQL 类似,包含以下段:选择、过滤、拆分、合并和聚合数据包流。该语言的另一个特殊功能是它允许将查询与转发策略组合在一起。编译器生成查询开关上的计数器并将其制成表格所需的控制消息。

Frenetic includes an embedded query language that provides effective abstractions for reading network state. This language is similar to SQL and includes segments for selecting, filtering, splitting, merging and aggregating the streams of packets. Another special feature of this language is that it enables the queries to be composed with forwarding policies. A compiler produces the control messages needed to query and tabulate the counters on switches.

 

Frenetic 由两个抽象层次组成,如图6.4所示。上层是 Frenetic 源代码级 API,提供了一组用于操作网络流量的运算符。查询语言提供了读取网络状态、合并不同查询以及表达高级谓词以对穿过网络的数据包流进行分类、过滤、转换和聚合的方法。较低层的抽象由在 SDN 控制器中运行的运行时系统提供。它将高级策略和查询转换为低级流规则,然后发出所需的 OpenFlow 命令以在交换机上安装这些规则。

Frenetic consists of two levels of abstraction, as illustrated in Figure 6.4. The upper level, which is the Frenetic source-level API, provides a set of operators for manipulating streams of network traffic. The query language provides means for reading the state of the network, merging different queries, and expressing high-level predicates for classifying, filtering, transforming, and aggregating the packet streams traversing the network. The lower level of abstraction is provided by a run-time system that operates in the SDN controller. It translates high-level policies and queries into low-level flow rules and then issues the needed OpenFlow commands to install these rules on the switches.

 
图像

图 6.4狂热架构

FIGURE 6.4 Frenetic Architecture

 

要了解这两个抽象级别,请考虑一个简单的示例,该示例取自 Foster 在 2013 年 2 月IEEE 通信杂志[FOST13] 上发表的一篇论文。该程序将转发功能与监控网络流量功能结合在一起。考虑以下在运行时级别执行的 Python 程序来控制 OpenFlow 交换机:

To get some idea of the two levels of abstraction, consider a simple example, from a paper by Foster in the February 2013 IEEE Communications Magazine [FOST13]. The program combines forwarding functionality with monitoring web traffic functionality. Consider the following Python program, which executes at the run-time level, to control OpenFlow switches:

 

点击这里查看代码图片

Click here to view code image

 

def switch_join(s):

    pat1 = {inport:1}

    pat2web = {inport:2, srcport:80}

    pat2 = {inport:2}

    install(s, pat1, DEFAULT, [fwd(2)])

    install(s, pat2web,高,[fwd(1)])

    安装(s,pat2,默认,[fwd(1)])

    query_stats(s,pat2web)

def stats_in(s,xid,pat,pkts,字节):

    打印字节

    睡眠( 30)

    query_stats(s,帕特)

def switch_join(s):

    pat1 = {inport:1}

    pat2web = {inport:2, srcport:80}

    pat2 = {inport:2}

    install(s, pat1, DEFAULT, [fwd(2)])

    install(s, pat2web, HIGH, [fwd(1)])

    install(s, pat2, DEFAULT, [fwd(1)])

    query_stats(s, pat2web)

def stats_in(s, xid, pat, pkts, bytes):

    print bytes

    sleep(30)

    query_stats(s, pat)

 

当交换机加入网络时,程序会在交换机中针对三种类型的流量安装三个转发规则:到达端口 1 的流量、到达端口 2 的 Web 流量以及到达端口 2 的其他流量。第二条规则具有高优先级,并且so 优先于具有默认优先级的第三条规则。对 的调用query_stats生成对与规则关联的计数器的请求pat2web。当控制器收到回复时,它会调用stats_in处理程序。该函数打印上一次循环迭代轮询的统计信息,等待 30 秒,然后向交换机发出请求以获取与相同规则匹配的统计信息。

When a switch joins the network, the program installs three forwarding rules in the switch for three types of traffic: traffic arriving on port 1, web traffic arriving on port 2, and other traffic arriving on port 2. The second rule has HIGH priority and so takes precedence over the third rule, which has default priority. The call to query_stats generates a request for the counters associated with the pat2web rule. When the controller receives the reply, it invokes the stats_in handler. This function prints the statistics polled on the previous iteration of the loop, waits 30 seconds, and then issues a request to the switch for statistics matching the same rule.

 

程序的编写方式、转发逻辑和网络监控是交织在一起的。这反映了底层 OpenFlow 功能的本质。对任一函数的任何更改或添加都会以复杂的方式影响程序。

The way the program is written, the logic for forwarding and web monitoring are intertwined. This reflects the nature of the underlying OpenFlow functionality. Any changes or additions to either function will affect the program in a complex way.

 

使用Frenetic,这两个函数可以分别表示,如下:

With Frenetic, these two functions can be expressed separately, as follows:

 

点击这里查看代码图片

Click here to view code image

 

def Repeater():

    规则=[规则(inport:1, [fwd(2)])

           规则(inport:2, [fwd(1)])]

    注册(rules)

def Web Monitor():

    q = (Select(字节)*

       其中(inport = 2&srcport = 80)*

       每个(30))

    q >> Print()

def main():

    repeater()

    monitor()

def repeater():

    rules=[Rule(inport:1, [fwd(2)])

           Rule(inport:2, [fwd(1)])]

    register(rules)

def web monitor():

    q = (Select(bytes) *

       Where(inport=2 & srcport=80) *

       Every(30))

    q >> Print()

def main():

    repeater()

    monitor()

 

使用此代码,可以轻松更改监视器程序或将其替换为另一个监视器程序,而无需触及中继器代码,对于中继器程序的更改也类似。重要的是,安装同时实现两个组件的特定 OpenFlow 规则的责任被委托给运行时系统。对于此示例,运行时系统将生成与上面列出的 switch join 函数中手动构造的规则相同的规则。

With this code, it would be easy to change the monitor program or swap it out for another monitor program without touching the repeater code, and similarly for the changes to the repeater program. Importantly, the responsibility for installing specific OpenFlow rules that realize both components simultaneously is delegated to the run-time system. For this example, the run-time system would generate the same rules as the manually constructed rules in the switch join function listed above.

 

6.3 交通工程

6.3 Traffic Engineering

 

流量工程是一种动态分析、调节和预测网络中数据流行为的方法,旨在优化性能以满足服务级别协议 (SLA)。流量工程涉及根据QoS要求建立路由和转发策略。与非SDN网络相比,使用SDN,流量工程的任务应该大大简化。SDN 提供了异构设备的统一全局视图以及用于配置和管理网络交换机的强大工具。

Traffic engineering is a method for dynamically analyzing, regulating, and predicting the behavior of data flowing in networks with the aim of performance optimization to meet service level agreements (SLAs). Traffic engineering involves establishing routing and forwarding policies based on QoS requirements. With SDN, the task of traffic engineering should be considerably simplified compared with a non-SDN network. SDN offers a uniform global view of heterogeneous equipment and powerful tools for configuring and managing network switches.

 

这是 SDN 应用开发中一个非常活跃的领域。Kreutz 在 2015 年 1 月IEEE 会议录[KREU15]中发表的 SDN 调查论文列出了以下已作为 SDN 应用程序实现的流量工程功能:

This is an area of great activity in the development of SDN applications. The SDN survey paper by Kreutz in the January 2015 Proceedings of the IEEE [KREU15] lists the following traffic engineering functions that have been implemented as SDN applications:

 

图像按需虚拟专用网络

On-demand virtual private networks

 

图像负载均衡

Load balancing

 

图像能源感知路由

Energy-aware routing

 

图像宽带接入网络的服务质量 (QoS)

Quality of service (QoS) for broadband access networks

 

图像调度/优化

Scheduling/optimization

 

图像以最小的开销进行流量工程

Traffic engineering with minimal overhead

 

图像多媒体应用程序的动态 QoS 路由

Dynamic QoS routing for multimedia apps

 

图像通过快速故障转移组实现快速恢复

Fast recovery through fast-failover groups

 

图像QoS策略管理框架

QoS policy management framework

 

图像服务质量执行

QoS enforcement

 

图像异构网络上的 QoS

QoS over heterogeneous networks

 

图像多个数据包调度器

Multiple packet schedulers

 

图像用于 QoS 实施的队列管理

Queue management for QoS enforcement

 

图像划分并扩展转发表

Divide and spread forwarding tables

 

政策警察

PolicyCop

 

流量工程 SDN 应用程序的一个指导性示例是 PolicyCop [BARI13],它是一个自动化 QoS 策略执行框架。它利用 SDN 和 OpenFlow 提供的可编程性

An instructive example of a traffic engineering SDN application is PolicyCop [BARI13], which is an automated QoS policy enforcement framework. It leverages the programmability offered by SDN and OpenFlow for

 

图像动态交通引导

Dynamic traffic steering

 

图像灵活的流量控制

Flexible Flow level control

 

图像动态流量类别

Dynamic traffic classes

 

图像自定义流量聚合级别

Custom flow aggregation levels

 

PolicyCop 的主要功能是监控网络以检测策略违规(基于 QoS SLA)并重新配置网络以强化违规策略。

Key features of PolicyCop are that it monitors the network to detect policy violations (based on a QoS SLA) and reconfigures the network to reinforce the violated policy.

 

如图6.5所示,PolicyCop由11个软件模块和2个数据库组成,分别安装在应用平面和控制平面。PolicyCop利用SDN的控制平面来监控QoS策略的遵守情况,并可以根据动态的网络流量统计自动调整控制平面规则和数据平面的流表。

As shown in Figure 6.5, PolicyCop consists of eleven software modules and two databases, installed in both the application plane and the control plane. PolicyCop uses the control plane of SDNs to monitor the compliance with QoS policies and can automatically adjust the control plane rules and flow tables in the data plane based on the dynamic network traffic statistics.

 
图像

图 6.5 PolicyCop 架构

FIGURE 6.5 PolicyCop Architecture

 

在控制平面中,PolicyCop依赖四个模块和一个数据库来存储控制规则,描述如下:

In the control plane, PolicyCop relies on four modules and a database for storing control rules, described as follows:

 

图像 准入控制:接受或拒绝来自资源供应模块的请求,以保留网络资源,例如队列、流表条目和容量。

Admission Control: Accepts or rejects requests from the resource provisioning module for reserving network resources, such as queues, flow-table entries, and capacity.

 

图像 路由根据规则数据库中的控制规则确定路径可用性。

Routing: Determines path availability based on the control rules in the rule database.

 

图像 设备跟踪器:跟踪网络交换机及其端口的开启/关闭状态。

Device Tracker: Tracks the up/down status of network switches and their ports.

 

图像 统计数据收集:结合使用被动和主动监控技术来测量不同的网络指标。

Statistics Collection: Uses a mix of passive and active monitoring techniques to measure different network metrics.

 

图像 规则库:应用平面将高级的全网策略转换为控制规则,并将其存储在规则库中。

Rule Database: The application plane translates high-level network-wide policies to control rules and stores them in the rule database.

 

RESTful 北向接口将这些控制平面模块连接到应用平面模块,应用平面模块分为两个组件:一个是监控网络以检测策略违规的策略验证器,另一个是根据网络条件和高级策略调整控制平面规则的策略执行器。级政策。这两个模块都依赖于策略数据库,其中包含网络管理员输入的 QoS 策略规则。模块如下:

A RESTful northbound interface connects these control plane modules to the application plane modules, which are organized into two components: a policy validator that monitors the network to detect policy violations, and a policy enforcer that adapts control plane rules based on network conditions and high-level policies. Both modules rely on a policy database, which contains QoS policy rules entered by a network manager. The modules are as follows:

 

图像 流量监控:从策略数据库中收集活动策略,并确定适当的监控间隔、网段和监控指标。

Traffic Monitor: Collects the active policies from policy database, and determines appropriate monitoring interval, network segments, and metrics to be monitored.

 

图像 策略检查器:使用策略数据库和流量监视器的输入检查策略违规情况。

Policy Checker: Checks for policy violations, using input from the policy database and the Traffic Monitor.

 

图像 事件处理程序:检查违规事件,并根据事件类型自动调用策略执行器或向网络管理器发送操作请求。

Event Handler: Examines violation events and, depending on event type, either automatically invokes the policy enforcer or sends an action request to the network manager.

 

图像 拓扑管理器:根据设备跟踪器的输入维护网络的全局视图。

Topology Manager: Maintains a global view of the network, based on input from the device tracker.

 

图像 资源管理器:使用准入控制和统计数据收集来跟踪当前分配的资源。

Resource Manager: Keeps track of currently allocated resources using admission control and statistics collection.

 

图像 策略适应:由一组操作组成,每种操作对应一种类型的策略违规。表 6.1显示了一些策略适应行动的一般功能。这些操作是可由网络管理员指定的可插入组件。

Policy Adaptation: Consists of a set of actions, one for each type of policy violation. Table 6.1 shows the general functionality of some of the policy adaptation actions. The actions are pluggable components that can be specified by the network manager.

 
图像

表 6.1一些示例策略适应行动 (PAA) 的功能

TABLE 6.1 Functionality of Some Example Policy Adaptation Actions (PAAs)

 

图像 资源供应:该模块根据违规事件分配更多资源或释放现有资源或两者兼而有之。

Resource Provisioning: This module either allocates more resources or releases existing ones or both based on the violation event.

 

图 6.6显示了 PolicyCop 中的处理工作流程。

Figure 6.6 shows the process workflow in PolicyCop.

 
图像

图 6.6 PolicyCop 工作

FIGURE 6.6 PolicyCop Workflow

 

6.4 测量和监控

6.4 Measurement and Monitoring

 

测量和监控应用领域大致可分为两类:为其他网络服务提供新功能的应用程序,以及为基于 OpenFlow 的 SDN 增加价值的应用程序。

The area of measurement and monitoring applications can roughly be divided into two categories: applications that provide new functionality for other networking services, and applications that add value to OpenFlow-based SDNs.

 

第一类的一个例子是宽带家庭连接领域。如果连接到基于SDN的网络,则可以添加新功能来测量家庭网络流量和需求,从而使系统能够对不断变化的条件做出反应。第二类通常涉及使用不同种类的采样和估计技术来减轻控制平面在收集数据平面统计数据时的负担。

An example of the first category is in the area of broadband home connections. If the connection is to an SDN-based network, new functions can be added to the measurement of home network traffic and demand, allowing the system to react to changing conditions. The second category typically involves using different kinds of sampling and estimation techniques to reduce the burden of the control plane in the collection of data plane statistics.

 

6.5 安全

6.5 Security

 

该领域的应用程序有两个目标之一:

Applications in this area have one of two goals:

 

图像 解决与 SDN 使用相关的安全问题: SDN 涉及三层架构(应用、控制、数据)以及分布式控制和封装数据的新方法。所有这些都带来了新的攻击媒介的可能性。威胁可能发生在三层中的任何一层或各层之间的通信中。SDN 应用程序需要提供 SDN 本身的安全使用。

Address security concerns related to the use of SDN: SDN involves a three-layer architecture (application, control, data) and new approaches to distributed control and encapsulating data. All of this introduces the potential for new vectors for attack. Threats can occur at any of the three layers or in the communication between layers. SDN applications are needed to provide for the secure use of SDN itself.

 

图像 使用SDN的功能来提高网络安全性:尽管SDN给网络设计者和管理者带来了新的安全挑战,但它也提供了一个为网络实施一致、集中管理的安全策略和机制的平台。SDN 允许开发能够提供和编排安全服务和机制的 SDN 安全控制器和 SDN 安全应用程序。

Use the functionality of SDN to improve network security: Although SDN presents new security challenges for network designers and managers, it also provides a platform for implementing consistent, centrally managed security policies and mechanisms for the network. SDN allows the development of SDN security controllers and SDN security applications that can provision and orchestrate security services and mechanisms.

 

本节提供了 SDN 安全应用程序的示例来说明第二个目标。我们将在第 16 章安全性”中详细研究 SDN 安全性主题。

This section provides an example of an SDN security application the illustrates the second goal. We examine the topic of SDN security in detail in Chapter 16, “Security.”

 

OpenDaylight DDoS 应用程序

OpenDaylight DDoS Application

 

2014 年,虚拟和云数据中心应用交付和应用安全解决方案提供商 Radware 宣布通过 Defense4All(集成到 OpenDaylight 中的开放 SDN 安全应用)为 OpenDaylight 项目做出贡献。Defense4All 为运营商和云提供商提供分布式拒绝服务 (DDoS)检测和缓解作为本机网络服务。Defense4All 使用 OpenDaylight SDN 控制器对支持 SDN 的网络进行编程,使其成为 DoS/DDoS 保护服务本身的一部分,从而使运营商能够为每个虚拟网段或每个客户提供 DoS/DDoS 保护服务。

In 2014, Radware, a provider of application delivery and application security solutions for virtual and cloud data centers, announced its contribution to the OpenDaylight Project with Defense4All, an open SDN security application integrated into OpenDaylight. Defense4All offers carriers and cloud providers distributed denial of service (DDoS) detection and mitigation as a native network service. Using the OpenDaylight SDN Controller that programs SDN-enabled networks to become part of the DoS/DDoS protection service itself, Defense4All enables operators to provision a DoS/DDoS protection service per virtual network segment or per customer.

 

Defense4All 使用一种常见的技术来防御 DDoS 攻击,该技术由以下元素组成:

Defense4All uses a common technique for defending against DDoS attacks, which consists of the following elements:

 

图像平时流量统计的收集和保护对象统计行为的学习。受保护对象的正常流量基线是根据这些收集的统计数据构建的。

Collection of traffic statistics and learning of statistics behavior of protected objects during peacetime. The normal traffic baselines of the protected objects are built from these collected statistics.

 

图像将 DDoS 攻击模式检测为偏离正常基线的流量异常。

Detection of DDoS attack patterns as traffic anomalies deviating from normal baselines.

 

图像将可疑流量从正常路径转移到攻击缓解系统 (AMS),以进行流量清理、选择性源阻塞等。从清洗中心流出的干净流量被重新注入数据包的原始目的地。

Diversion of suspicious traffic from its normal path to attack mitigation systems (AMSs) for traffic scrubbing, selective source blockage, and so on. Clean traffic exiting out of scrubbing centers is re-injected back into the packet’s original destination.

 

图 6.7显示了 Defense4All 应用程序的整体上下文。底层 SDN 网络由许多支持客户端和服务器设备之间流量的数据平面交换机组成。Defense4All 作为一个应用程序运行,通过 OpenDaylight 控制器 (ODC) 北向 API 与控制器进行交互。Defense4All 支持网络管理员的用户界面,可以是命令行界面,也可以是 RESTful API。最后,Defense4All 有一个 API 可以与一个或多个 AMS 进行通信。

Figure 6.7 shows the overall context of the Defense4All application. The underlying SDN network consists of a number of data plane switches that support traffic among client and server devices. Defense4All operates as an application that interacts with the controller over an OpenDaylight controller (ODC) northbound API. Defense4All supports a user interface for network managers that can either be a command line interface or a RESTful API. Finally, Defense4All has an API to communicate with one or more AMSs.

 
图像

图 6.7 OpenDaylight DDoS 应用

FIGURE 6.7 OpenDaylight DDoS Application

 

管理员可以配置 Defense4All 来保护某些网络和服务器,称为受保护网络 (PN) 和受保护对象 (PO)。应用程序指示控制器在主题 PO 的流量流经的每个网络位置中为每个配置的 PO 的每个协议安装流量计数流。

Administrators can configure Defense4All to protect certain networks and servers, known as protected networks (PNs) and protected objects (POs). The application instructs the controller to install traffic counting flows for each protocol of each configured PO in every network location through which traffic of the subject PO flows.

 

然后,Defense4All 监控所有已配置 PO 的流量,汇总所有相关网络位置的读数、速率和平均值。如果它检测到特定 PO 的协议(例如 TCP、UDP、ICMP 或其余流量)与正常学习的流量行为存在偏差,Defense4All 将声明针对主题 PO 中的该协议的攻击。具体来说,Defese4All 使用 OpenFlow 持续计算其测量的实时流量的流量平均值;当实时流量与平均值偏差 80% 时,则假定发生了攻击。

Defense4All then monitors traffic of all configured POs, summarizing readings, rates, and averages from all relevant network locations. If it detects a deviation from normal learned traffic behavior in a protocol (such as TCP, UDP, ICMP, or the rest of the traffic) of a particular PO, Defense4All declares an attack against that protocol in the subject PO. Specifically, Defese4All continuously calculates traffic averages for real time traffic it measured using OpenFlow; when real time traffic deviates by 80% from average then an attack is assumed.

 

为了减轻检测到的攻击,Defense4All 执行以下过程:

To mitigate a detected attack, Defense4All performs the following procedure:

 

1.它验证 AMS 设备是否处于活动状态并选择与其建立实时连接。目前,Defense4All 配置为与 Radware 的 AMS(称为 DefensePro)配合使用。

1. It validates that the AMS device is alive and selects a live connection to it. Currently, Defense4All is configured to work with Radware’s AMS, known as DefensePro.

 

2.它为AMS配置安全策略和受攻击流量的正常速率。这为 AMS 提供了执行缓解策略所需的信息,直到流量恢复到正常速率。

2. It configures the AMS with a security policy and normal rates of the attacked traffic. This provides the AMS with the information needed to enforce a mitigation policy until traffic returns to normal rates.

 

3.它开始监视和记录从 AMS 到达的主题流量的系统日志。只要 Defense4All 继续从 AMS 接收有关此攻击的系统日志攻击通知,Defense4All 就会继续将流量转移到 AMS,即使此 PO 的流量计数器不再指示任何攻击。

3. It starts monitoring and logging syslogs arriving from the AMS for the subject traffic. As long as Defense4All continues receiving syslog attack notifications from the AMS regarding this attack, Defense4All continues to divert traffic to the AMS, even if the flow counters for this PO do not indicate any more attacks.

 

4.它将选定的物理 AMS 连接映射到相关 PO 链路。这通常涉及使用 OpenFlow 更改虚拟网络上的链路定义。

4. It maps the selected physical AMS connection to the relevant PO link. This typically involves changing link definitions on a virtual network, using OpenFlow.

 

5.它安装更高优先级的流表条目,以便将攻击流量重定向到 AMS,并将流量从 AMS 重新注入回正常流量路由。当 Defense4All 确定攻击已结束(流表计数器或 AMS 均未显示攻击指示)时,它会恢复之前的操作:停止监视有关主题流量的系统日志,删除流量转移流表条目,并且从 AMS 中删除安全配置。然后 Defense4All 返回和平时期监控。

5. It installs higher-priority flow table entries so that the attack traffic flow is redirected to the AMS and re-injects traffic from the AMS back to the normal traffic flow route. When Defense4All decides that the attack is over (no attack indication from either flow table counters or from the AMS), it reverts the previous actions: It stops monitoring for syslogs about the subject traffic, it removes the traffic diversion flow table entries, and it removes the security configuration from the AMS. Defense4All then returns to peacetime monitoring.

 

图 6.8显示了 Defense4All 的主要软件组件。整体应用程序结构(称为框架)包含下面列表中描述的模块。

Figure 6.8 shows the principal software components of Defense4All. The overall application structure, referred to as a framework, contains the modules described in the list that follows.

 
图像

图 6.8 Defense4All 软件架构详细信息

FIGURE 6.8 Defense4All Software Architecture Detail

 

图像 Web (REST) 服务器:网络管理器的接口。

Web (REST) Server: Interface to network manager.

 

图像 Framework Main:启动、停止或重置框架的机制。

Framework Main: Mechanism to start, stop, or reset the framework.

 

图像 框架 REST 服务:响应通过 Web (REST) 服务器收到的用户请求。

Framework REST Service: Responds to user requests received through the web (REST) server.

 

图像 框架管理点:协调和调用控制和配置命令。

Framework Management Point: Coordinates and invokes control and configuration commands.

 

图像 Defense4All 应用程序:随后描述。

Defense4All Application: Described subsequently.

 

图像 通用类和实用程序:方便的类和实用程序库,任何框架或 SDN 应用程序模块都可以从中受益。

Common Classes and Utilities: A library of convenient classes and utilities from which any framework or SDN application module can benefit.

 

图像 存储库服务:框架理念的关键要素之一是将计算状态与计算逻辑解耦。所有持久状态都存储在一组存储库中,然后可以复制、缓存和分发这些存储库,而无需了解计算逻辑(框架或应用程序)。

Repository Services: One of the key elements in the framework philosophy is decoupling the compute state from the compute logic. All durable states are stored in a set of repositories that can be then replicated, cached, and distributed, with no awareness of the compute logic (framework or application).

 

图像 日志记录和飞行记录器服务:日志记录服务使用日志错误、警告、跟踪或信息性消息。这些日志主要供 Defense4All 开发人员使用。Flight Recorder 记录 Java 应用程序运行时的事件和指标。

Logging and Flight Recorder Services: The logging service uses logs error, warning, trace, or informational messages. These logs are mainly for Defense4All developers. The Flight Recorder records events and metrics during run time from Java applications.

 

图像 健康跟踪器:保存 Defense4All 运行健康状况的聚合运行时指标,并针对严重的功能或性能恶化采取行动。

Health Tracker: Holds aggregated run-time indicators of the operational health of Defense4All and acts in response to severe functional or performance deteriorations.

 

图像 集群管理器:负责管理与以集群模式运行的其他 Defense4All 实体的协调。

Cluster Manager: Responsible for managing coordination with other Defense4All entities operating in a cluster mode.

 

Defense4All 应用程序模块由以下元素组成。

The Defense4All Application module consists of the following elements.

 

图像 DF App Root:应用程序的根模块。

DF App Root: The root module of the application.

 

图像 DF Rest 服务:响应 Defense4All 应用程序 REST 请求。

DF Rest Service: Responds to Defense4All application REST requests.

 

图像 DF 管理点:驱动器控制和配置命令的指向。DFMgmtPoint 依次以正确的顺序调用其他相关模块的方法。

DF Management Point: The point to drive control and configuration commands. DFMgmtPoint in turn invokes methods against other relevant modules in the right order.

 

图像 ODL Reps:适用于不同版本 ODC 的可插拔模块集。包含两个子模块的两个功能:相关流量的统计和引流。

ODL Reps: A pluggable module set for different versions of the ODC. Comprises two functions in two submodules: stats collection for and traffic diversion of relevant traffic.

 

图像 SDN 统计收集器:负责为指定网络位置(物理或逻辑)的每个 PN 设置“计数器”。计数器是启用 ODC 的网络交换机和路由器中的一组 OpenFlow 流条目。该模块定期从这些计数器收集统计数据并将其提供给 SDNBasedDetectionMgr。该模块使用 SDNStatsCollectionRep 来设置计数器并从这些计数器读取最新统计数据。统计报告由读取时间、计数器规格、PN标签和trafficData信息列表组成,其中每个trafficData元素包含最新字节和计数器位置中为 <protocol,port,direction> 配置的流条目的数据包值。协议可以是{tcp,udp,icmp,other ip},端口可以是任意四层端口,方向可以是{入站,出站}。

SDN Stats Collector: Responsible for setting “counters” for every PN at specified network locations (physical or logical). A counter is a set of OpenFlow flow entries in ODC-enabled network switches and routers. The module periodically collects statistics from those counters and feeds them to the SDNBasedDetectionMgr. The module uses the SDNStatsCollectionRep to both set the counters and read latest statistics from those counters. A stat report consists of read time, counter specification, PN label, and a list of trafficData information, where each trafficData element contains the latest bytes and packet values for flow entries configured for <protocol,port,direction> in the counter location. The protocol can be {tcp,udp,icmp,other ip}, the port is any Layer 4 port, and the direction can be {inbound, outbound}.

 

图像 基于 SDN 的检测管理器:用于可插拔的基于 SDN 的检测器的容器。它将从 SDNStatsCollector 收到的统计报告提供给插入式基于 SDN 的检测器。它还从 AttackDecisionPoint 向所有基于 SDN 的检测器提供有关已结束攻击的通知(以便允许重置检测机制)。每个检测器都会随着时间的推移了解每个 PN 的正常流量行为,并在检测到流量异常时通知 AttackDecisionPoint。

SDN Based Detection Manager: A container for pluggable SDN-based detectors. It feeds stat reports received from the SDNStatsCollector to plugged-in SDN based detectors. It also feeds all SDN based detectors notifications from the AttackDecisionPoint about ended attacks (so as to allow reset of detection mechanisms). Each detector learns for each PN its normal traffic behavior over time, and notifies AttackDecisionPoint when it detects traffic anomalies.

 

图像 攻击决策点:负责维护攻击生命周期,从声明新攻击到攻击被认为结束时终止转移。

Attack Decision Point: Responsible for maintaining attack lifecycle, from declaring a new attack, to terminating diversion when an attack is considered over.

 

图像 缓解管理器:可插入缓解驱动程序的容器。它维护 AMS 执行的每个缓解措施的生命周期。每个缓解驱动程序负责在其管理范围内使用 AMS 驱动攻击缓解。

Mitigation Manager: A container for pluggable mitigation drivers. It maintains the lifecycle of each mitigation being executed by an AMS. Each mitigation driver is responsible for driving attack mitigations using AMSs in their sphere of management.

 

图像 基于 AMS 的检测器:该模块负责监视/查询 AMS 的攻击缓解措施。

AMS Based Detector: This module is responsible for monitoring/querying attack mitigation by AMSs.

 

图像 AMS 代表:控制 AMS 的接口。

AMS Rep: Controls the interface to AMSs.

 

图 6.8显示了即使是相对简单的 SDN 应用程序的复杂性。

Figure 6.8 suggests the complexity of even a relatively straightforward SDN application.

 

最后值得注意的是,Radware 开发了 Defese4All 的商业版本,名为 DefenseFlow。DefenseFlow 实现了基于模糊逻辑的更复杂的攻击检测算法。主要好处是 DefenseFlow 具有更强的能力区分攻击流量和异常但合法的高流量流量。

Finally, it is worth noting that Radware has developed a commercial version of Defese4All, named DefenseFlow. DefenseFlow implements more sophisticated algorithms for attack detection based on fuzzy logic. The main benefit is that DefenseFlow has a greater ability to distinguish attack traffic from abnormal but legitimate high volume of traffic.

 

6.6 数据中心网络

6.6 Data Center Networking

 

到目前为止,我们已经讨论了 SDN 应用的三个领域:流量工程、测量和监控以及安全。这些应用程序提供的示例表明它们在许多不同类型的网络中具有广泛的用例。其余三个应用领域(数据中​​心网络、移动和无线以及以信息为中心的网络)在特定类型的网络中都有用例。

So far we’ve discussed three areas of SDN applications: traffic engineering, measurement and monitoring, and security. The provided examples of these applications suggest the broad range of use cases for them, in many different kinds of networks. The remaining three applications areas (data center networking, mobility and wireless, and information-centric networking) have use cases in specific types of networks.

 

云计算、大数据、大型企业网络,甚至在许多情况下,小型企业网络都强烈依赖于高度可扩展和高效的数据中心。[KREU15]列出了以下数据中心的关键要求:高且灵活的截面带宽和低延迟、基于应用需求的QoS、高水平的弹性、智能资源利用以降低能耗并提高整体效率以及敏捷性在配置网络资源时(例如,通过网络虚拟化以及计算和存储的编排)。

Cloud computing, big data, large enterprise networks, and even in many cases, smaller enterprise networks, depend strongly on highly scalable and efficient data centers. [KREU15] lists the following as key requirements for data centers: high and flexible cross-section bandwidth and low latency, QoS based on the application requirements, high levels of resilience, intelligent resource utilization to reduce energy consumption and improve overall efficiency, and agility in provisioning network resources (for example, by means of network virtualization and orchestration with computing and storage).

 

在传统的网络架构中,由于网络的复杂性和不灵活性,许多这些要求都难以满足。SDN有望大幅提升数据中心网络配置快速修改、灵活响应用户需求、保证网络高效运行的能力。

With traditional network architectures, many of these requirements are difficult to satisfy because of the complexity and inflexibility of the network. SDN offers the promise of substantial improvement in the ability to rapidly modify data center network configurations, to flexibly respond to user needs, and to ensure efficient operation of the network.

 

本小节的其余部分将研究两个示例数据中心 SDN 应用程序。

The remainder of this subsection, examines two example data center SDN applications.

 

基于SDN的大数据

Big Data over SDN

 

Wang 等人在 HotSDN'12 论文集 [WANG12] 中发表的一篇论文报告了一种使用 SDN 优化大数据应用的数据中心网络的方法。该方法利用 SDN 的功能来提供应用程序感知网络。它还利用了结构化大数据应用的特征以及动态可重构光电路的最新趋势。对于结构化大数据应用程序,其中许多应用程序根据明确定义的计算模式处理数据,并且还具有集中式管理结构,使得可以利用应用程序级信息来优化网络。也就是说,了解大数据应用程序的预期计算模式,可以跨大数据服务器智能地部署数据,更重要的是,

A paper by Wang, et al., in the Proceedings of HotSDN’12 [WANG12], reports on an approach to use SDN to optimize data center networking for big data applications. The approach leverages the capabilities of SDN to provide application-aware networking. It also exploits characteristics of structured big data applications as well as recent trends in dynamically reconfigurable optical circuits. With respect to structured big data applications, many of these applications process data according to well-defined computation patterns, and also have a centralized management structure that makes it possible to leverage application-level information to optimize the network. That is, knowing the anticipated computation patterns of the big data application, it is possible to intelligently deploy the data across the big data servers and, more significantly, react to changing application patterns by using SDN to reconfigure flows in the network.

 

与电子开关相比,光开关具有数据速率更高、布线复杂性和能耗更低的优点。许多项目已经演示了如何收集网络级流量数据并在端点(例如架顶式交换机)之间智能分配光电路以提高应用程序性能。然而,除非有流量需求和依赖性的真实应用程序级视图,否则电路利用率和应用程序性能可能不足。将对大数据计算模式的理解与 SDN 的动态功能相结合,可以使用高效的数据中心网络配置来支持不断增长的大数据需求。

Compared to electronic switches, optical switches have the advantages of greater data rates with reduced cabling complexity and energy consumption. A number of projects have demonstrated how to collect network-level traffic data and intelligently allocate optical circuits between endpoints (for example, top-of-rack switches) to improve application performance. However, circuit utilization and application performance can be inadequate unless there is a true application-level view of traffic demands and dependencies. Combining an understanding of the big data computation patterns with the dynamic capabilities of SDN, efficient data center networking configurations can be used to support the increasing big data demands.

 

图 6.9显示了一个简单的混合光电数据中心网络,其中支持 OpenFlow 的架顶式 (ToR) 交换机连接到两个聚合交换机:以太网交换机和光路交换机 (OCS)。所有交换机均由 SDN 控制器控制,该控制器管理 ToR 之间的物理连接通过配置光开关来实现光路的切换。它还可以使用 OpenFlow 规则管理 ToR 交换机的转发。

Figure 6.9 shows a simple hybrid electrical and optical data center network, in which OpenFlow-enabled top-of-rack (ToR) switches are connected to two aggregation switches: an Ethernet switch and an optical circuit switch (OCS). All the switches are controlled by a SDN controller that manages physical connectivity among ToR switches over optical circuits by configuring the optical switch. It can also manage the forwarding at ToR switches using OpenFlow rules.

 
图像

图 6.9大数据应用的集成网络控制 [WANG12]

FIGURE 6.9 Integrated Network Control for Big Data Applications [WANG12]

 

SDN 控制器还连接到 Hadoop 调度程序,该调度程序形成要调度的作业队列以及保存大数据应用程序数据的关系数据库的 HBase 主控制器。此外,SDN控制器还连接到Mesos集群管理器。Mesos 是一个开源软件包,提供跨分布式应用程序的调度和资源分配服务。

The SDN controller is also connected to the Hadoop scheduler, which forms queues of jobs to be scheduled and the HBase Master controller of a relational database holding data for the big data applications. In addition, the SDN controller connects to a Mesos cluster manager. Mesos is an open source software package that provides scheduling and resource allocation services across distributed applications.

 

SDN 控制器向 Mesos 集群管理器提供网络拓扑和流量信息。反过来,SDN 控制器接受来自 Mesos 管理器的流量需求请求。

The SDN controller makes available network topology and traffic information to the Mesos cluster manager. In turn, the SDN controller accepts traffic demand request from Mesos managers.

 

通过图 6.8的组织,可以建立一个方案,利用大数据应用的流量需求来动态管理网络,使用 SDN 控制器来管理此任务。

With the organization of Figure 6.8, it is possible to set up a scheme whereby the traffic demands of big data applications are used to dynamically manage the network, using the SDN controller to manage this task.

 

基于 SDN 的云网络

Cloud Networking over SDN

 

云网络即服务 (CloudNaaS) 是一种云网络系统,它利用 OpenFlow SDN 功能为云客户提供对云网络功能的更大程度的控制 [BENS11]。CloudNaaS使用户能够部署包含多种网络功能的应用程序,例如虚拟网络隔离、自定义寻址、服务差异化以及各种中间件的灵活插入等。CloudNaaS 原语使用高速可编程网络元件直接在云基础设施本身内实现,从而使 CloudNaaS 非常高效。

Cloud Network as a Service (CloudNaaS) is a cloud networking system that exploits OpenFlow SDN capabilities to provide a greater degree of control over cloud network functions by the cloud customer [BENS11]. CloudNaaS enables users to deploy applications that include a number of network functions, such as virtual network isolation, custom addressing, service differentiation, and flexible interposition of various middleboxes. CloudNaaS primitives are directly implemented within the cloud infrastructure itself using high-speed programmable network elements, making CloudNaaS highly efficient.

 

图 6.10说明了 CloudNaaS 操作中的主要事件顺序,如下面的列表中所述。

Figure 6.10 illustrates the principal sequence of events in the CloudNaaS operation, as described in the list that follows.

 
图像

图 6.10 CloudNaaS 框架中的各个步骤

FIGURE 6.10 Various Steps in the CloudNaaS Framework

 

A。云客户使用简单的策略语言来指定客户应用程序所需的网络服务。这些策略声明被发布到由云服务提供商运营的云控制器服务器。

a. A cloud customer uses a simple policy language to specify network services required by the customer applications. These policy statements are issued to a cloud controller server operated by the cloud service provider.

 

b. 云控制器将网络策略映射到定义所需通信模式和网络服务的通信矩阵中。该矩阵用于确定云服务器上虚拟机 (VM) 的最佳放置位置,以便云能够高效地满足最大数量的全局策略。这是根据其他客户的需求及其当前活动水平的了解来完成的。

b. The cloud controller maps the network policy into a communication matrix that defines desired communication patterns and network services. The matrix is used to determine the optimal placement of virtual machines (VMs) on cloud servers such that the cloud can satisfy the largest number of global policies in an efficient manner. This is done based on the knowledge of other customers’ requirements and their current levels of activity.

 

C。逻辑通信矩阵被转换为数据平面转发元件的网络级指令。通过创建并放置指定数量的虚拟机来部署客户的虚拟机实例。

c. The logical communication matrix is translated into network-level directives for data plane forwarding elements. The customer’s VM instances are deployed by creating and placing the specified number of VMs.

 

d. 网络级指令通过 OpenFlow 安装到网络设备中。

d. The network-level directives are installed into the network devices via OpenFlow.

 

客户看到的抽象网络模型由虚拟机和将虚拟机连接在一起的虚拟网段组成。策略语言构造识别组成应用程序的一组虚拟机,并定义附加到虚拟网段的各种功能和能力。主要构造如下:

The abstract network model seen by the customer consists of VMs and virtual network segments that connect VMs together. Policy language constructs identify the set of VMs that comprise an application and define various functions and capabilities attached to virtual network segments. The main constructs are as follows:

 

图像 地址:指定 VM 的客户可见的自定义地址。

address: Specify a customer-visible custom address for a VM.

 

图像 组:创建一个或多个虚拟机的逻辑组。将具有相似功能的虚拟机分组,可以将修改应用于整个组,而无需更改附加到各个虚拟机的服务。

group: Create a logical group of one or more VMs. Grouping VMs with similar functions makes it possible for modifications to apply across the entire group without requiring changing the service attached to individual VMs.

 

图像 middlebox:通过指定其类型和配置文件来命名并初始化新的虚拟中间盒。可用中间件列表及其配置语法由云提供商提供。示例包括入侵检测和审计合规系统。

middlebox: Name and initialize a new virtual middlebox by specifying its type and a configuration file. The list of available middleboxes and their configuration syntax is supplied by the cloud provider. Examples include intrusion detection and audit compliance systems.

 

图像 网络服务:指定附加到虚拟网段的功能,例如第 2 层广播域、链路 QoS 以及必须遍历的中间盒列表。

networkservice: Specify capabilities to attach to a virtual network segment, such as Layer 2 broadcast domain, link QoS, and list of middleboxes that must be traversed.

 

图像 virtualnet:虚拟网段连接虚拟机组并与网络服务关联。虚拟网络可以跨越一个或两个组。对于单个组,该服务适用于组中所有虚拟机对之间的流量。对于一对组,服务应用于第一组中的任何VM和第二组中的任何VM之间。虚拟网络还可以连接到一些预定义的组,例如 EXTERNAL,它表示云外部的所有端点。

virtualnet: Virtual network segments connect groups of VMs and are associated with network services. A virtual network can span one or two groups. With a single group, the service applies to traffic between all pairs of VMs in the group. With a pair of groups, the service is applied between any VM in the first group and any VM in the second group. Virtual networks can also connect to some predefined groups, such as EXTERNAL, which indicates all endpoints outside of the cloud.

 

CloudNaaS的架构如图6.11所示。它的两个主要组件是云控制器和网络控制器。云控制器提供基础设施即服务 (IaaS)服务来管理 VM 实例。用户可以传达标准 IaaS 请求,例如设置虚拟机和存储。此外,网络策略构造使用户能够定义 VM 的虚拟网络功能。云控制器管理云中每台物理服务器上的软件可编程虚拟交换机,支持租户应用程序的网络服务,包括用户定义的虚拟网段的管理。云控制器构建通信矩阵并将其传输到网络控制器。

Figure 6.11 provides an overview of the architecture of CloudNaaS. Its two main components are a cloud controller and a network controller. The cloud controller provides a base Infrastructure as a Service (IaaS) service for managing VM instances. The user can communicate standard IaaS requests, such as setting up VMs and storage. In addition, the network policy constructs enable the user to define the virtual network capabilities for the VMs. The cloud controller manages a software programmable virtual switch on each physical server in the cloud that supports network services for tenant applications, including the management of the user-defined virtual network segments. The cloud controller constructs the communication matrix and transmits this to the network controller.

 
图像

图 6.11 CloudNaaS 架构

FIGURE 6.11 CloudNaaS Architecture

 

网络控制器使用通信矩阵来配置数据平面物理和虚拟交换机。它在虚拟机之间生成虚拟网络并向云控制器提供虚拟机放置指令。它监控云数据平面交换机上的流量和性能,并根据需要更改网络状态,以优化资源的使用,以满足租户的要求。控制器调用放置优化器来确定在云中放置虚拟机的最佳位置(并将其报告给云控制器进行配置)。然后,控制器使用网络供应器模块来为网络中的每个可编程设备生成配置命令集,并相应地配置它们以实例化租户的虚拟网段。

The network controller uses the communication matrix to configure data plane physical and virtual switches. It generates virtual networks between VMs and provides VM placement directives to the cloud controller. It monitors the traffic and performance on the cloud data plane switches and makes changes to the network state as needed to optimize use of resources to meet tenant requirements. The controller invokes the placement optimizer to determine the best location to place VMs within the cloud (and reports it to the cloud controller for provisioning). The controller then uses the network provisioner module to generate the set of configuration commands for each of the programmable devices in the network and configures them accordingly to instantiate the tenant’s virtual network segment.

 

因此,CloudNaaS 为云客户提供的能力不仅仅是简单地请求处理和存储资源,还能够定义 VM 虚拟网络并控制虚拟网络的服务和 QoS 要求。

Thus, CloudNaaS provides the cloud customer with the ability to go beyond simple requesting a processing and storage resource, to defining a virtual network of VMs and controlling the service and QoS requirements of the virtual network.

 

6.7 移动性和无线

6.7 Mobility and Wireless

 

除了有线网络的所有传统性能、安全性和可靠性要求之外,无线网络还提出了广泛的新要求和挑战。移动用户不断产生对新服务的需求,无论位置如何,都可以提供高质量和高效的内容交付。网络提供商必须处理与管理可用频谱、实施切换机制、执行高效负载平衡、响应 QoS 和 QoE 要求以及维护安全相关的问题。

In addition to all the traditional performance, security, and reliability requirements of wired networks, wireless networks impose a broad range of new requirements and challenges. Mobile users are continuously generating demands for new services with high quality and efficient content delivery independent of location. Network providers must deal with problems related to managing the available spectrum, implementing handover mechanisms, performing efficient load balancing, responding to QoS and QoE requirements, and maintaining security.

 

SDN可以为移动网络提供商提供急需的工具,近年来已经为无线网络提供商设计了许多基于SDN的应用程序。[KREU15]列出了以下SDN应用领域,其中包括:通过高效切换实现无缝移动、创建按需虚拟接入点、负载平衡、下行链路调度、动态频谱使用、增强的小区间干扰协调、每个客户端/基站资源块分配、简化管理、异构网络技术的轻松管理、不同网络之间的互操作性、共享无线基础设施以及 QoS 和访问控制策略的管理。

SDN can provide much-needed tools for the mobile network provider and in recent years a number of SDN-based applications for wireless network providers have been designed. [KREU15] lists the following SDN application areas, among others: seamless mobility through efficient handovers, creation of on-demand virtual access points, load balancing, downlink scheduling, dynamic spectrum usage, enhanced intercell interference coordination, per client / base station resource block allocations, simplified administration, easy management of heterogeneous network technologies, interoperability between different networks, shared wireless infrastructures, and management of QoS and access control policies.

 

对无线网络提供商的 SDN 支持是一个活跃的领域,并且广泛的应用程序产品可能会继续出现。

SDN support for wireless network providers is an area of intense activity, and a wide range of application offerings is likely to continue to appear.

 

6.8 以信息为中心的网络

6.8 Information-Centric Networking

 

信息中心网络(ICN),也称为内容中心网络,近年来受到了极大的关注,主要是由于分发和操作信息已成为当今互联网的主要功能。与传统的以主机为中心的网络范例(通过联系指定的命名主机来获取信息)不同,ICN 旨在通过直接命名和操作信息对象来提供本机网络原语,以实现高效的信息检索。

Information-centric networking (ICN), also known as content-centric networking, has received significant attention in recent years, mainly driven by the fact that distributing and manipulating information has become the major function of the Internet today. Unlike the traditional host-centric networking paradigm where information is obtained by contacting specified named hosts, ICN is aimed at providing native network primitives for efficient information retrieval by directly naming and operating on information objects.

 

对于 ICN,位置和身份之间存在区别,从而将其来源的信息解耦。这种方法的本质是,信息源可以在网络中的任何位置放置信息,并且信息用户可以在网络中的任何位置找到信息,因为信息的命名、寻址和匹配与其位置无关。在 ICN 中,不是指定用于通信的源-目标主机对,而是指定一个片段信息本身被命名。在ICN中,发送请求后,网络负责定位可以提供所需信息的最佳源。因此,信息请求的路由寻求基于与位置无关的名称来找到信息的最佳来源。

With ICN, a distinction exists between location and identity, thus decoupling information for its sources. The essence of this approach is that information sources can place, and information users can find, information anywhere in the network, because the information is named, addressed, and matched independently of its location. In ICN, instead of specifying a source-destination host pair for communication, a piece of information itself is named. In ICN, after a request is sent, the network is responsible for locating the best source that can provide the desired information. Routing of information requests thus seeks to find the best source for the information, based on a location-independent name.

 

在传统网络上部署 ICN 具有挑战性,因为现有的路由设备需要更新或替换为支持 ICN 的路由设备。此外,ICN 将交付模式从主机到用户转变为内容到用户。这就需要明确区分信息需求和供应的任务以及转发的任务。SDN 有潜力为部署 ICN 提供必要的技术,因为它提供了转发元件的可编程性以及控制平面和数据平面的分离。

Deploying ICN on traditional networks is challenging, because existing routing equipment would need to be updated or replace with ICN-enabled routing devices. Further, ICN shifts the delivery model from host to user to content to user. This creates a need for a clear separation between the task of information demand and supply, and the task of forwarding. SDN has the potential to provide the necessary technology for deploying ICN because it provides for programmability of the forwarding elements and a separation of control and data planes.

 

许多项目建议使用 SDN 功能来实施 ICN。目前还没有达成共识的方法来实现 SDN 和 ICN 的耦合。建议的方法包括对 OpenFlow 协议进行实质性增强/修改、使用散列函数开发名称到 IP 地址的映射、使用 IP 选项标头作为名称字段以及在 OpenFlow (OF) 交换机和 ICN 之间使用抽象层路由器,以便层、OF交换机和ICN路由器充当单个可编程ICN路由器。

A number of projects have proposed using SDN capabilities to implement ICNs. There is no consensus approach to achieving this coupling of SDN and ICN. Suggested approaches include substantial enhancements/modifications to the OpenFlow protocol, developing a mapping of names into IP addresses using a hash function, using the IP option header as a name field, and using an abstraction layer between an OpenFlow (OF) switch and an ICN router, so that the layer, OF switch, and ICN router function as a single programmable ICN router.

 

本节的其余部分简要介绍了最后一种方法 [NGUY13、NGUY14]。该方法旨在为 OF 交换机提供 ICN 功能,而无需修改 OF 交换机。该方法建立在开放协议规范和称为 CCNx 的 ICN 软件参考实现之上。在了解抽象层方法之前,需要先了解一下 CCNx 的简要背景。

The remainder of this section briefly introduces this last approach [NGUY13, NGUY14]. This approach is designed to provide OF switches with ICN functionality, without having to modify the OF switches. The approach is built on an open protocol specification and a software reference implementation of ICN known as CCNx. Before looking at the abstraction layer approach, a brief background on CCNx is needed.

 

CCNx

CCNx

 

CCNx 是由帕洛阿尔托研究中心 (PARC) 作为一个开源项目开发的,并且已经试验性部署了许多实现。

CCNx is being developed by the Palo Alto Research Center (PARC) as an open source project, and a number of implementations have been experimentally deployed.

 
图像

CCNx

CCNx

 

CCN 中的通信通过两种数据包类型:兴趣数据包内容数据包。消费者通过发送兴趣包来请求内容。任何接收兴趣包并具有满足兴趣包的命名数据的CCN节点都会以内容包(也称为内容)进行响应。如果兴趣包中的名称与内容对象包中的名称匹配,则内容满足兴趣。如果 CCN 节点收到兴趣包,但尚未拥有所请求内容的副本,则它可以将兴趣包转发到内容源。CCN 节点具有转发表,用于确定向哪个方向发送兴趣包。接收兴趣包的提供者,其具有匹配的命名内容,并且回复内容包。任何中间节点都可以选择缓存内容对象,

Communication in CCN is via two packet types: Interest packets and Content packets. A consumer requests content by sending an Interest packet. Any CCN node that receives the Interest and has named data that satisfies the Interest responds with a Content packet (also known as a Content). Content satisfies an Interest if the name in the Interest packet matches the name in the Content Object packet. If a CCN node receives an Interest, and does not already have a copy of the requested Content, it may forward the Interest toward a source for the content. The CCN node has forwarding tables that determine which direction to send the Interest. A provider receiving an Interest for which it has matching named content replies with a Content packet. Any intermediate node can optionally choose to cache the Content Object, and it can respond with a cached copy of the Content Object the next time it receives an Interest packet with the same name.

 

CCN节点的基本操作与IP节点类似。CCN 节点通过接口接收和发送数据包。面是应用程序、另一个 CCN 节点或某种其他类型通道的连接点面可以具有指示预期延迟和带宽、广播或多播能力或其他有用特征的属性。CCN节点具有三种主要数据结构:

The basic operation of a CCN node is similar to an IP node. CCN nodes receive and send packets over faces. A face is a connection point to an application, or another CCN node, or some other kind of channel. A face may have attributes that indicate expected latency and bandwidth, broadcast or multicast capability, or other useful features. A CCN node has three main data structures:

 

图像 内容存储:保存以前看到的(以及可选缓存的)内容数据包的表。

Content Store: Holds a table of previously seen (and optionally cached) Content packets.

 

图像 转发信息库 (FIB):用于将兴趣包转发到潜在的数据源。

Forwarding Information Base (FIB): Used to forward Interest packets toward potential data sources.

 

图像 待处理兴趣表 (PIT):用于跟踪该 CCN 节点向内容源向上游转发的兴趣,以便稍后收到的内容数据包可以发送回其请求者。

Pending Interest Table (PIT): Used to keep track of Interests forwarded upstream by that CCN node toward the content source so that Content packets later received can be sent back to their requestors.

 

内容源如何被知晓以及如何通过 CCN 网络设置路由的详细信息超出了我们的范围。简而言之,内容提供商广告内容的名称,并且通过CCN节点之间的协作通过CCN网络建立路由。

The details of how content sources become known and how routes are set up through the CCN network are beyond our scope. Briefly, content providers advertise names of content and routes are established through the CCN network by cooperation among the CCN nodes.

 

ICN 在很大程度上依赖于网络内缓存,即在从内容提供者到请求者的路径上缓存内容。这种路径上缓存实现了良好的整体性能,但并不是最佳的,因为内容可能会在路由器上复制,从而减少了可以缓存的内容总量。为了克服这一限制,可以使用旁路缓存,它将内容分配给网络内明确定义的旁路缓存,并使流量偏离最佳路径,流向分布在网络上的这些缓存。路径外缓存通过有效利用网络范围内的可用缓存容量来提高全局命中率,并允许减少出口链路的带宽使用。

ICN relies substantially on in-network caching—that is, to cache content on the path from content providers to requesters. This on-path caching achieves good overall performance but is not optimal as content may be replicated on routers, thus reducing the total volume of content that can be cached. To overcome this limitation, off-path caching can be used, which allocates content to well-defined off-path caches within the network and deflects the traffic off the optimal path toward these caches that are spread across the network. Off-path caching improves the global hit ratio by efficiently utilizing the network-wide available caching capacity and permits to reduce egress links’ bandwidth usage.

 

抽象层的使用

Use of an Abstraction Layer

 

使用 SDN 交换机(特别是 OF 交换机)充当 ICN 路由器的核心设计问题是 OF 交换机根据 IP 数据包中的字段(特别是目标 IP 地址)进行转发,而 ICN 路由器则根据 IP 数据包中的字段进行转发。内容名称的基础。本质上,所提出的方法使用 OF 交换机可以处理的字段内的名称进行哈希处理。

The central design issue with using an SDN switch (in particular an OF switch) to function as an ICN router is that the OF switch forwards on the basis of fields in the IP packet, especially the destination IP address, and an ICN router forwards on the basis of a content name. In essence, the proposed approach hashes the name inside the fields with an OF switch can process.

 

图 6.12显示了该方法的总体架构。为了将 CCNx 节点软件模块与 OF 交换机链接起来,需要使用称为包装器的抽象层。包装器将交换机接口与 CCNx 接口配对,将 CCN 消息中的内容名称解码并散列到 OF 交换机可以处理的字段中(例如,IP 地址、端口号)。这些字段提供的大命名空间限制了两个不同内容名称之间发生冲突的概率。OF 交换机中的转发表设置为根据散列字段的内容进行转发。交换机不“知道”这些字段的内容不再是合法的 IP 地址、TCP 端口号等。它一如既往地根据传入 IP 数据包相关字段中找到的值进行转发。

Figure 6.12 shows the overall architecture of the approach. To link a CCNx node software module with an OF switch, an abstraction layer, called the wrapper, is used. The wrapper pairs a switch interface to a CCNx face, decodes and hashes content names in CCN messages into fields that an OF switch can process (for example, IP addresses, port numbers). The large naming space offered by these fields limits the probability of having collisions between two different content names. The forwarding tables in the OF switch are set to forward based on the contents of the hashed fields. The switch does not “know” that the contents of these fields are no longer legitimate IP addresses, TCP port numbers, and so forth. It forwards as always, based on the values found in the relevant fields of incoming IP packets.

 
图像

图 6.12 ICN 包装方法

FIGURE 6.12 ICN Wrapper Approach

 

抽象层解决了如何使用当前OF交换机提供CCN功能的问题。为了高效运营,还需要解决两个额外的挑战:如何在不产生大量开销的情况下准确衡量内容的受欢迎程度,以及如何构建和优化路由表来执行偏转。为了解决这些问题,该架构需要 SDN 控制器中的三个新模块:

The abstraction layer solves the problem of how to provide CCN functionality using current OF switches. For efficient operation, two additional challenges need to be addressed: how to measure the popularity of content accurately and without a large overhead, and how to build and optimize routing tables to perform deflection. To address these issues, the architecture calls for three new modules in the SDN controller:

 

图像 测量:内容流行度可以直接从OF流量统计中推断出来。测量模块定期查询并处理来自入口OF交换机的统计数据,以返回最受欢迎的内容列表。

Measurement: Content popularity can be inferred directly from OF flow statistics. The measurement module periodically queries and processes statistics from ingress OF switches to return the list of most popular content.

 

图像 优化:使用最受欢迎的内容列表作为优化算法的输入。目标是在以下约束下最小化偏转内容的延迟总和:(1)每个流行内容恰好缓存在一个节点上,(2)在节点上缓存内容不超过节点的容量,以及(3)缓存不应造成链路拥塞。

Optimization: Uses the list of most popular contents as an input for the optimization algorithm. The objective is to minimize the sum of the delays over deflected contents under the following constraints: (1) each popular content is cached at exactly one node, (2) caching contents at a node does not exceed node’s capacity, and (3) caching should not cause link congestion.

 

图像 偏转:使用优化结果为每个内容构建内容名称(通过根据内容名称哈希计算的地址和端口)与指向节点的传出接口之间的映射,其中内容被缓存(例如,ip.destination = hash(内容名称),action = 转发到接口 1)。

Deflection: Uses the optimization results to build a mapping, for every content, between the content name (by means of addresses and ports computed from the content name hash) and an outgoing interface toward the node where the content is cached (for example, ip.destination = hash(content name), action = forward to interface 1).

 

最后,使用 OF 协议将映射安装在交换机的流表上,以便后续的兴趣包可以转发到适当的缓存。

Finally, mappings are installed on switches’ flow tables using the OF protocol such that subsequent Interest packets can be forwarded to appropriate caches.

 

图 6.13显示了数据包的流程。OpenFlow 交换机将从其他端口接收到的每个数据包转发到包装器,然后包装器将其转发到 CCNx 模块。OpenFlow交换机需要帮助wrapper识别数据包的交换机源端口。为了实现这一点,OF 交换机被配置为将其接收的所有数据包的 ToS 值设置为相应的传入端口值,然后将所有数据包转发到包装器的端口。

Figure 6.13 shows the flow of packets. The OpenFlow switch forwards every packet it receives from other ports to the wrapper, and the wrapper forwards it to the CCNx module. The OpenFlow switch needs to help the wrapper identify the switch source port of the packet. To achieve this, the OF switch is configured to set the ToS value of all packets it receives to the corresponding incoming port value and then forward all of them to the wrapper’s port.

 
图像

图 6.13 CCNx 和 OpenFlow 交换机之间的数据包流

FIGURE 6.13 Packet Flow Between CCNx and OpenFlow Switch

 

包装器使用 ToS 值将 CCNx 的面映射到 OpenFlow 交换机的接口(即端口)。W 面是包装器和 CCNx 模块之间的特殊面。W 接收来自包装器的每个内容数据包,并用于将每个兴趣数据包从 CCNx 发送到包装器。

The wrapper maps a face of CCNx to an interface (that is, port) of OpenFlow switches using ToS value. Face W is a special face between wrapper and the CCNx module. W receives every Content packet from the wrapper and is used to send every Interest packet from CCNx to the wrapper.

 

图 6.13的 a 部分显示了包装器如何处理来自 OF 交换机的传入数据包。对于兴趣包,包装器从兴趣包中提取面值ToS字段并将数据包转发到相应的CCNx接口。如果 CCNx 节点保存了所请求内容的副本,它会组成一个内容数据包并将其返回到传入面。否则,它将这个兴趣转发给W并相应地更新其PIT。当内容数据包从 OF 交换机到达时,包装器将其直接转发到面向 W。

Part a of Figure 6.13 shows how incoming packets from the OF switch are handled by the wrapper. For an Interest packet, the wrapper extracts the face value from the ToS field and forwards the packet to the corresponding CCNx face. If the CCNx node holds a copy of the requested content, it composes a Content packet and returns it back to the incoming face. Otherwise, it forwards this Interest to face W and updates its PIT accordingly. Upon Content packet arrival from the OF switch, the wrapper forwards it directly to face W.

 

图 6.13的 b 部分显示了包装器对从 CCNx 模块接收的数据包的操作。对于内容数据包,它相应地设置 ToS 字段,指定输出端口。然后,对于任何数据包,它对数据包进行解码以提取与数据包相关的内容名称。该名称经过哈希处理,并且数据包的源 IP 地址被设置为与哈希值相对应。最后,包装器将数据包转发到 OF 交换机。内容包被返回到其相应的传入面。兴趣数据包的 ToS 值设置为零,因此它们由 OF 交换机转发到下一跳。

Part b of Figure 6.13 shows the operation of the wrapper on packets received from the CCNx module. For content packets, it sets the ToS field accordingly, specifying the output port. Then, for any packet, it decodes the packet to extract the content name related to the packet. The name is hashed and the source IP address of the packet is set to correspond to the hashed value. Finally, the wrapper forwards the packets to OF switches. Content packets are returned to their corresponding incoming face. Interest packets have the ToS value set to zero so they are forwarded to next hop by the OF switch.

 

因此,包装抽象层的使用提供了基本的ICN功能和偏转功能,而无需修改CCNx模块或OpenFlow交换机。

Thus, the use of the wrapper abstraction layer provides basic ICN functionality plus deflection functionality without needing to modify the CCNx module or the OpenFlow switch.

 

6.9 关键术语

6.9 Key Terms

 

完成本章后,您应该能够定义以下术语。

After completing this chapter, you should be able to define the following terms.

 

抽象

abstraction

 

抽象层

abstraction layer

 

云NaaS

CloudNaaS

 

以内容为中心的网络 (CCN)

content-centric networking (CCN)

 

横截面带宽

cross-section bandwidth

 

分布式拒绝服务 (DDoS)

distributed denial of service (DDoS)

 

分布抽象

distribution abstraction

 

转发抽象

forwarding abstraction

 

狂热的

Frenetic

 

以信息为中心的网络 (ICN)

information-centric networking (ICN)

 

基础设施即服务 (IaaS)

Infrastructure as a Service (IaaS)

 

测量和监测

measurement and monitoring

 

网络服务抽象层

network services abstraction layer

 

路径外缓存

off-path caching

 

路径上缓存

on-path caching

 

政策警察

PolicyCop

 

规范抽象

specification abstraction

 

交通工程

traffic engineering

 

第三部分:虚拟化

Part III: Virtualization

 

基本思想是,任何复杂系统中的多个组件都将执行有助于整体功能的特定子功能。

The basic idea is that the several components in any complex system will perform particular subfunctions that contribute to the overall function.

 

—— 《人工科学》,赫伯特·西蒙

The Sciences of the Artificial, Herbert Simon

 

第 7 章:网络功能虚拟化:概念和架构

CHAPTER 7: Network Functions Virtualization: Concepts and Architecture

 

第 8 章: NFV 功能

CHAPTER 8: NFV Functionality

 

第 9 章:网络虚拟化

CHAPTER 9: Network Virtualization

 

对网络功能虚拟化 (NFV) 的兴趣和研究开始得晚于相应的软件定义网络 (SDN) 工作。然而,NFV 和更广泛的虚拟网络概念已在现代网络中发挥着与 SDN 同等重要的作用。第三部分致力于广泛而彻底地介绍 NFV 概念、技术和应用,并对网络虚拟化进行讨论。第7章首先介绍虚拟机的概念,然后介绍如何使用虚拟机技术来开发基于NFV的网络环境。第 8 章详细介绍了 NFV 元素的功能,并将 NFV 与 SDN 联系起来。第9章首先介绍虚拟网络的传统概念,然后介绍更现代的网络虚拟化方法,最后介绍软件定义基础设施的概念。

Interest in, and work on, network functions virtualization (NFV) began later than the corresponding software-defined network (SDN) effort. However, NFV and a broader conception of virtual networking have come to play a role of equal importance to that of SDN in modern networking. Part III is devoted to a broad and thorough presentation of NFV concepts, technology, and applications, and a discussion of network virtualization. Chapter 7 begins by introducing the concept of virtual machine and then looks of the use of virtual machine technology to develop NFV-based networking environments. Chapter 8 is a detailed looks at the functionality of NFV elements and also relates NFV to SDN. Chapter 9 looks at traditional concepts of virtual networks, and then at the more modern approach to network virtualization, and finally introduces the concept of software defined infrastructure.

 

第 7 章网络功能虚拟化:概念和架构

Chapter 7. Network Functions Virtualization: Concepts and Architecture

 

人们发现,在许多安装中,使用操作系统来模拟单个物理硬件组上多台机器的存在是有用的。IBM VM/370 操作系统就是一个例子。该技术允许在一台物理机器上安装多个不同的操作系统(或同一操作系统的不同版本)。动态地址转换硬件使得这样的模拟器足够高效,可以在许多情况下在生产模式下使用。

It has been found useful in many installations to use an operating system to simulate the existence of several machines on a single physical set of hardware. The IBM VM/370 operating system is one example. This technique allows an installation to multiprogram several different operating systems (or different versions of the same operating system) on a single physical machine. The dynamic-address-translation hardware allows such a simulator to be efficient enough to be used, in many cases, in production mode.

 

—IBM System/370 的架构,ACM 的通信,1978 年 1 月,

Richard Case 和 Adris Padegs

—Architecture of the IBM System/370, Communications of the ACM, January 1978,

Richard Case and Adris Padegs

 

本章目标 学习完本章后,您应该能够

 

图像了解虚拟机的概念。

 

图像解释 1 类和 2 类虚拟机管理程序之间的区别。

 

图像列出并解释 NFV 的主要优势。

 

图像列出并解释 NFV 的关键要求。

 

图像概述 NFV 架构。

 

Chapter Objectives: After studying this chapter, you should be able to

 

Understand the concept of virtual machine.

 

Explain the difference between Type 1 and Type 2 hypervisors.

 

List and explain the key benefits of NFV.

 

List and explain the key requirements for NFV.

 

Present an overview of the NFV architecture.

 
 

本章和后续两章重点讨论虚拟化在现代网络中的应用。虚拟化包含多种用于管理计算资源的技术,在软件和物理硬件之间提供软件转换层(称为抽象层)。虚拟化将物理资源转变为逻辑资源或虚拟资源。虚拟化使在抽象层之上运行的用户、应用程序和管理软件能够管理和使用资源,而无需了解底层资源的物理细节。在本章和下一章中,我们将重点讨论如何使用虚拟机 (VM) 技术作为网络功能虚拟化 (NFV) 新概念的基础。第9章,“网络虚拟化”涉及虚拟网络和网络虚拟化的概念。

This chapter and the succeeding two chapters focus on the application of virtualization for modern networking. Virtualization encompasses a variety of technologies for managing computing resources, providing a software translation layer, known as an abstraction layer, between the software and the physical hardware. Virtualization turns physical resources into logical, or virtual, resources. Virtualization enables users, applications, and management software operating above the abstraction layer to manage and use resources without needing to be aware of the physical details of the underlying resources. In this chapter and the next, we focus on the use of virtual machine (VM) technology as a basis for the new concept of network functions virtualization (NFV). Chapter 9, “Network Virtualization,” deals with virtual networks and the concept of network virtualization.

 

7.1 NFV 的背景和动机

7.1 Background and Motivation for NFV

 

NFV起源于主要网络运营商和运营商之间关于如何在大流量多媒体时代改善网络运营的讨论。这些讨论最终导致了原始 NFV 白皮书《网络功能虚拟化:简介、优势、推动因素、挑战和行动呼吁》的发布[ ISGN12 ]。在本白皮书中,NFV 的总体目标是利用标准 IT 虚拟化技术将多种网络设备类型整合到行业标准的大容量服务器、交换机和存储上,这些设备可以位于数据中心、网络节点、以及最终用户场所。

NFV originated from discussions among major network operators and carriers about how to improve network operations in the high-volume multimedia era. These discussions resulted in the publication of the original NFV white paper, Network Functions Virtualization: An Introduction, Benefits, Enablers, Challenges & Call for Action [ISGN12]. In this white paper, the group listed as the overall objective of NFV is leveraging standard IT virtualization technology to consolidate many network equipment types onto industry standard high-volume servers, switches, and storage, which could be located in data centers, network nodes, and in the end-user premises.

 

白皮书强调,对这种新方法的需求源于网络包含大量且不断增长的专有硬件设备,从而导致以下负面后果:

The white paper highlights that the source of the need for this new approach is that networks include a large and growing variety of proprietary hardware appliances, leading to the following negative consequences:

 

图像新的网络服务可能需要额外的不同类型的硬件设备,并且找到容纳这些设备的空间和电源变得越来越困难。

New network services may require additional different types of hardware appliances, and finding the space and power to accommodate these boxes is becoming increasingly difficult.

 

图像新硬件意味着额外的资本支出。

New hardware means additional capital expenditures.

 

图像一旦获得新型硬件设备,操作员就面临着设计、集成和操作日益复杂的基于硬件的设备所需的技能的稀缺问题。

Once new types of hardware appliances are acquired, operators are faced with the rarity of skills necessary to design, integrate, and operate increasingly complex hardware-based appliances.

 

图像基于硬件的设备很快就会达到使用寿命,需要重复大部分采购-设计-集成-部署周期,而几乎没有收入收益。

Hardware-based appliances rapidly reach end of life, requiring much of the procure-design-integrate-deploy cycle to be repeated with little or no revenue benefit.

 

图像随着技术和服务创新的加速,以满足日益以网络为中心的 IT 环境的需求,对日益多样化的硬件平台的需求抑制了新的创收网络服务的引入。

As technology and services innovation accelerates to meet the demands of an increasingly network-centric IT environment, the need for an increasing variety of hardware platforms inhibits the introduction of new revenue-earning network services.

 

NFV 方法不再依赖各种硬件平台,而是使用少量标准化平台类型,并使用虚拟化技术来提供所需的网络功能。在白皮书中,该小组表示相信 NFV 方法适用于固定和移动网络基础设施中的任何数据平面数据包处理和控制平面功能。

The NFV approach moves away from dependence on a variety of hardware platforms to the use of a small number of standardized platform types, with virtualization techniques used to provide the needed network functionality. In the white paper, the group expresses the belief that the NFV approach is applicable to any data plane packet processing and control plane function in fixed and mobile network infrastructures.

 

除了提供一种方法来克服前面列出的问题之外,NFV 还提供了许多其他好处。在第 7.2 节第 7.3节分别介绍了 VM 技术和 NFV 概念之后,第7.4 节对这些内容进行了最好的研究。

In addition to providing a way to overcome the problems cited in the preceding list, NFV provides a number of other benefits. These are best examined in Section 7.4, after an introduction to VM technology and NFV concepts, in Sections 7.2 and 7.3, respectively.

 

7.2 虚拟机

7.2 Virtual Machines

 

传统上,应用程序直接在个人计算机 (PC) 或服务器上的操作系统 (OS) 上运行。每台电脑或服务器一次只能运行一个操作系统。因此,应用程序供应商必须为他们将运行和支持的每个操作系统/平台重写部分应用程序,这增加了新特性/功能的上市时间,增加了缺陷的可能性,增加了质量测试工作,并且通常导致增加价格。为了支持多个操作系统,应用程序供应商需要创建、管理和支持多个硬件和操作系统基础设施,这是一个成本高昂且资源密集的过程。处理此问题的一种有效策略称为硬件虚拟化。虚拟化技术使单个 PC 或服务器能够同时运行多个操作系统或单个操作系统的多个会话。运行虚拟化软件的机器可以在单个硬件平台上托管大量应用程序,包括在不同操作系统上运行的应用程序。本质上,主机操作系统可以支持多个虚拟机(VM),每个虚拟机都具有特定操作系统的特性,并且在某些版本的虚拟化中,还具有特定硬件平台的特性。

Traditionally, applications have run directly on an operating system (OS) on a personal computer (PC) or on a server. Each PC or server would run only one OS at a time. Therefore, application vendors had to rewrite parts of its applications for each OS/platform they would run on and support, which increased time to market for new features/functions, increased the likelihood of defects, increased quality testing efforts, and usually led to increased price. To support multiple operating systems, application vendors needed to create, manage, and support multiple hardware and operating system infrastructures, a costly and resource-intensive process. One effective strategy for dealing with this problem is known as hardware virtualization. Virtualization technology enables a single PC or server to simultaneously run multiple operating systems or multiple sessions of a single OS. A machine running virtualization software can host numerous applications, including those that run on different operating systems, on a single hardware platform. In essence, the host operating system can support a number of virtual machines (VMs), each of which has the characteristics of a particular OS and, in some versions of virtualization, the characteristics of a particular hardware platform.

 

虚拟化并不是一项新技术。在 20 世纪 70 年代,IBM 大型机系统首次提供了允许程序仅使用系统资源的一部分的功能。从那时起,这种能力的各种形式就可以在平台上使用。虚拟化在 2000 年代初进入主流计算,当时该技术在 x86 服务器上商用。由于 Microsoft Windows 驱动的“一个应用程序,一台服务器”策略,组织面临着服务器过多的问题。摩尔定律推动硬件的快速改进超过了软件的能力,而且大多数服务器都没有得到充分利用,通常每台服务器消耗的可用资源不到 5%。此外,过多的服务器填满了数据中心并消耗了大量的电力和冷却,从而限制了公司管理和维护其基础设施的能力。虚拟化有助于缓解这种压力。

Virtualization is not a new technology. During the 1970s, IBM mainframe systems offered the first capabilities that would allow programs to use only a portion of a system’s resources. Various forms of that ability have been available on platforms since that time. Virtualization came into mainstream computing in the early 2000s when the technology was commercially available on x86 servers. Organizations were suffering from a surfeit of servers because of a Microsoft Windows-driven “one application, one server” strategy. Moore’s Law drove rapid hardware improvements outpacing software’s ability, and most of these servers were vastly underutilized, often consuming less than 5 percent of the available resources in each server. In addition, this overabundance of servers filled data centers and consumed vast amounts of power and cooling, thereby straining a corporation’s ability to manage and maintain their infrastructure. Virtualization helped relieve this stress.

 

虚拟机监视器

The Virtual Machine Monitor

 

支持虚拟化的解决方案是虚拟机监视器 (VMM),或者现在通常称为虚拟机管理程序。该软件位于硬件和虚拟机之间,充当资源代理(见图7.1)。简而言之,虚拟机管理程序允许多个虚拟机安全地共存于单个物理服务器主机上并共享该主机的资源。单个主机上可以存在的来宾数量以合并比率来衡量。例如,支持 6 个虚拟机的主机据说具有 6 比 1 的整合比,也写为 6:1(见图7.2))。商业领域的初始虚拟机管理程序可以提供 4:1 到 12:1 之间的整合率,但即使在低端,如果公司虚拟化其所有服务器,他们也可以从数据中心删除 75% 的服务器。更重要的是,他们还可以节省每年数百万或数千万美元的成本。物理服务器越少,所需的电力和冷却就越少。此外,这还可以减少电缆、网络交换机和占地面积。服务器整合已经成为并将继续成为解决成本高昂且浪费问题的极其有价值的方法。如今,全球部署的虚拟服务器比物理服务器还要多,并且虚拟服务器部署持续加速。

The solution that enables virtualization is a virtual machine monitor (VMM), or commonly known today as a hypervisor. This software sits between the hardware and the VMs acting as a resource broker (see Figure 7.1). Simply put, the hypervisor allows multiple VMs to safely coexist on a single physical server host and share that host’s resources. The number of guests that can exist on a single host is measured as a consolidation ratio. For example, a host that is supporting six VMs is said to have a consolidation ration of 6 to 1, also written as 6:1 (see Figure 7.2). The initial hypervisors in the commercial space could provide consolidation ratios of between 4:1 and 12:1, but even at the low end, if a company virtualized all of their servers, they could remove 75 percent of the servers from their data centers. More important, they could remove the cost as well, which often ran into the millions or tens of millions of dollars annually. With fewer physical servers, less power and less cooling was needed. Also this leads to fewer cables, fewer network switches, and less floor space. Server consolidation became, and continues to be, a tremendously valuable way to solve a costly and wasteful problem. Today, more virtual servers are deployed in the world than physical servers, and virtual server deployment continues to accelerate.

 
图像

图 7.1虚拟机概念

FIGURE 7.1 Virtual Machine Concept

 
图像

图 7.2虚拟机整合

FIGURE 7.2 Virtual Machine Consolidation

 

VM 方法是企业和个人处理遗留应用程序并通过最大化单台计算机可以处理的各种应用程序来优化硬件使用的常用方法。VMware 和 Microsoft 等公司提供的商业虚拟机管理程序产品得到了广泛使用,已售出数百万份。服务器虚拟化的一个关键方面是,除了能够在一台机器上运行多个虚拟机之外,虚拟机还可以被视为网络资源。服务器虚拟化向服务器用户隐藏了服务器资源,包括单个物理服务器、处理器和操作系统的数量和身份。这使得可以将单个主机划分为多个独立的服务器,从而节省硬件资源。它还可以将服务器从一台机器快速迁移到另一台机器,以实现负载平衡或在机器故障时进行动态切换。服务器虚拟化已成为处理大数据应用和实施云计算基础设施的核心要素。

The VM approach is a common way for businesses and individuals to deal with legacy applications and to optimize their hardware usage by maximizing the various kinds of applications that a single computer can handle. Commercial hypervisor offerings by companies such as VMware and Microsoft are widely used, with millions of copies having been sold. A key aspect of server virtualization is that, in addition to the capability of running multiple VMs on one machine, VMs can be viewed as network resources. Server virtualization masks server resources, including the number and identity of individual physical servers, processors, and operating systems, from server users. This makes it possible to partition a single host into multiple independent servers, conserving hardware resources. It also makes it possible to quickly migrate a server from one machine to another for load balancing or for dynamic switchover in the case of machine failure. Server virtualization has become a central element in dealing with big data applications and in implementing cloud computing infrastructures.

 

架构方法

Architectural Approaches

 

虚拟化就是抽象。就像操作系统通过使用程序层和接口从用户那里抽象出磁盘 I/O 命令一样,虚拟化也从它支持的虚拟机中抽象出物理硬件。如前所述,虚拟机监视器或管理程序是提供这种抽象的软件。它充当代理或交通警察,在来宾 (VM) 请求和消耗物理主机的资源时充当来宾 (VM) 的代理。

Virtualization is all about abstraction. Much like an operating system abstracts the disk I/O commands from a user through the use of program layers and interfaces, virtualization abstracts the physical hardware from the VMs it supports. As noted already, virtual machine monitor, or hypervisor, is the software that provides this abstraction. It acts as a broker, or traffic cop, acting as a proxy for the guests (VMs) as they request and consume resources of the physical host.

 

虚拟机是一种模仿物理服务器特征的软件结构。它配置有一定数量的处理器、一定数量的 RAM、存储资源以及通过网络端口的连接。一旦创建了虚拟机,它就可以像物理服务器一样开机,加载操作系统和应用程序,并以物理服务器的方式使用。与物理服务器不同,该虚拟服务器只能看到它已配置的资源,而不是物理主机本身的所有资源。这种隔离允许主机运行许多虚拟机,每个虚拟机运行相同或不同的操作系统副本,共享 RAM、存储、和网络带宽,没有问题。VM 中的操作系统访问虚拟机管理程序提供给它的资源。虚拟机管理程序有助于将 I/O 从 VM 转换到物理服务器设备,然后再转换回正确的 VM。为了实现这一点,“本机”操作系统将在其主机硬件上执行的某些特权指令现在会触发硬件陷阱,并由虚拟机管理程序作为虚拟机的代理运行。这会在虚拟化过程中造成一些性能下降,尽管随着时间的推移,硬件和软件的改进已经最大限度地减少了这种开销。

A VM is a software construct that mimics the characteristics of a physical server. It is configured with some number of processors, some amount of RAM, storage resources, and connectivity through the network ports. Once that VM is created, it can be powered on like a physical server, loaded with an operating system and applications, and used in the manner of a physical server. Unlike a physical server, this virtual server sees only the resources it has been configured with, not all the resources of the physical host itself. This isolation allows a host machine to run many VMs, each running the same or different copies of an operating system, sharing RAM, storage, and network bandwidth, without problems. An operating system in a VM accesses the resource that is presented to it by the hypervisor. The hypervisor facilitates the translation of I/O from the VM to the physical server devices, and back again to the correct VM. To achieve this, certain privileged instructions that a “native” operating system would be executing on its host’s hardware now trigger a hardware trap and are run by the hypervisor as a proxy for the VM. This creates some performance degradation in the virtualization process though over time both hardware and software improvements have minimalized this overhead.

 

VM 由文件组成。典型的虚拟机只能包含几个文件。有一个配置文件描述了VM的属性。它包含服务器定义、分配给该 VM 的虚拟处理器 (vCPU) 数量、分配的 RAM 大小、VM 可以访问哪些 I/O 设备、虚拟服务器中有多少网络接口卡 (NIC)、和更多。它还描述了VM可以访问的存储。该存储通常以虚拟磁盘的形式呈现,并作为附加文件存在于物理文件系统中。当虚拟机启动或实例化时,会创建额外的文件用于日志记录、内存分页和其他功能。VM 由文件组成,使得虚拟环境中的某些功能比物理环境中的更简单、更快捷。自计算机诞生以来,备份数据一直是一项关键功能。由于虚拟机本身就是文件,因此复制它们不仅会生成数据备份,还会生成整个服务器的副本,包括操作系统、应用程序和硬件配置本身。

VMs are made up of files. A typical VM can consist of just a few files. There is a configuration file that describes the attributes of the VM. It contains the server definition, how many virtual processors (vCPUs) are allocated to this VM, how much RAM is allocated, which I/O devices the VM has access to, how many network interface cards (NICs) are in the virtual server, and more. It also describes the storage that the VM can access. Often that storage is presented as virtual disks that exist as additional files in the physical file system. When a VM is powered on, or instantiated, additional files are created for logging, for memory paging, and other functions. That a VM consists of files makes certain functions in a virtual environment much simpler and quicker than in a physical environment. Since the earliest days of computers, backing up data has been a critical function. Because VMs are already files, copying them produces not only a backup of the data but also a copy of the entire server, including the operating system, applications, and the hardware configuration itself.

 

要创建物理服务器的副本,需要获取、安装、配置额外的硬件,加载操作系统、应用程序和数据,然后修补到最新版本,然后再移交给用户。此配置可能需要数周甚至数月的时间,具体取决于当地的流程。由于虚拟机由文件组成,通过复制这些文件,在虚拟环境中只需几分钟即可获得服务器的完美副本。需要进行一些配置更改(仅举两个服务器名称和 IP 地址),但管理员通常会在几分钟或几小时内(而不是几个月)建立新的虚拟机。

To create a copy of a physical server, additional hardware needs to be acquired, installed, configured, loaded with an operating system, applications, and data, and then patched to the latest revisions, before being turned over to the users. This provisioning can take weeks or even months depending on the processes in places. Because a VM consists of files, by duplicating those files, in a virtual environment there is a perfect copy of the server available in a matter of minutes. There are a few configuration changes to make (server name and IP address to name two), but administrators routinely stand up new VMs in minutes or hours, as opposed to months.

 

快速配置新虚拟机的另一种方法是使用模板。模板提供了一组标准化的硬件和软件设置,可用于创建配置有这些设置的新虚拟机。从模板创建新 VM 包括为新 VM 提供唯一标识符,让配置软件从模板构建 VM,并在部署过程中添加配置更改。

Another method to rapidly provision new VMs is through the use of templates. A template provides a standardized group of hardware and software settings that can be used to create new VMs configured with those settings. Creating a new VM from a template consists of providing unique identifiers for the new VM and having the provisioning software build a VM from the template and adding in the configuration changes as part of the deployment.

 

除了整合和快速配置之外,虚拟环境还因多种原因而成为数据中心基础设施的新模式。其中之一是可用性的提高。VM 主机聚集在一起形成计算机资源池。每台服务器上托管多个虚拟机,当物理服务器发生故障时,故障主机上的虚拟机可以快速自动恢复在集群中的另一台主机上重新启动。与为物理服务器提供这种类型的可用性相比,虚拟环境可以以显着降低的成本和更低的复杂性提供更高的可用性。对于需要更高可用性的服务器,某些解决方案中可以通过使用同步运行的影子虚拟机来实现容错,以确保在发生物理服务器故障时不会丢失任何事务,同样不会增加复杂性。虚拟环境最引人注目的功能之一是能够将正在运行的虚拟机从一台物理主机移动到另一台物理主机,而不会中断、降级或影响该虚拟机的用户。vMotion(在 VMware 环境中称为 vMotion)或实时迁移(在其他环境中称为实时迁移)用于许多关键任务。从可用性的角度来看,将虚拟机从一台主机移动到另一台主机而不导致停机,使管理员能够在物理主机上执行工作,而不会影响操作。维护可以在工作日早上进行,而不是在周末的计划停机时间内进行。可以将新服务器添加到环境中并删除旧服务器,而不会影响应用程序。除了这些手动启动的迁移之外,还可以根据资源使用情况自动进行迁移。如果某个虚拟机开始消耗比正常情况更多的资源,其他虚拟机可以自动重新定位到集群中资源可用的主机上,从而确保所有虚拟机有足够的性能和更好的整体性能。这些都是简单的示例,仅触及虚拟环境所提供功能的表面。

In addition to consolidation and rapid provisioning, virtual environments have become the new model for data center infrastructures for many reasons. One of these is increased availability. VM hosts are clustered together to form pools of computer resources. Multiple VMs are hosted on each of these servers and in the case of a physical server failure, the VMs on the failed host can be quickly and automatically restarted on another host in the cluster. Compared with providing this type of availability for a physical server, virtual environments can provide higher availability at significantly lower cost and less complexity. For servers that require greater availability, fault tolerance is available in some solutions through the use of shadowed VMs in running lockstep to ensure that no transactions are lost in the event of a physical server failure, again without increased complexity. One of the most compelling features of virtual environments is the capability to move a running VM from one physical host to another, without interruption, degradation, or impacting the users of that VM. vMotion, as it is known in a VMware environment, or Live Migration, as it is known in others, is used for a number of crucial tasks. From an availability standpoint, moving VMs from one host to another without incurring downtime allows administrators to perform work on the physical hosts without impacting operations. Maintenance can be performed on a weekday morning instead of during scheduled downtime on a weekend. New servers can be added to the environment and older servers removed without impacting the applications. In addition to these manually initiated migrations, migrations can be automated depending on resource usage. If a VM starts to consume more resources than normal, other VMs can be automatically relocated to hosts in the cluster where resources are available, ensuring adequate performance for all the VMs and better overall performance. These are simple examples that only scratch the surface of what virtual environments offer.

 

如前所述,虚拟机管理程序位于硬件和虚拟机之间。虚拟机管理程序有两种类型,根据虚拟机管理程序和主机之间是否存在另一个操作系统来区分。类型 1 虚拟机管理程序(参见图 7.3的 a 部分))作为薄软件层直接加载到物理服务器中,就像加载操作系统一样。安装和配置完成后(通常在几分钟内),服务器就可以支持虚拟机作为来宾。在成熟的环境中,虚拟化主机聚集在一起以提高可用性和负载平衡,虚拟机管理程序可以在新主机上暂存,新主机可以加入现有集群,并且虚拟机可以无任何中断地移动到新主机的服务。类型 1 虚拟机管理程序的一些示例包括 VMware ESXi、Microsoft Hyper-V 和各种开源 Xen 变体。将虚拟机管理程序加载到服务器的“裸机”上的想法对于人们来说通常是一个难以理解的概念。他们更喜欢作为传统应用程序工作的解决方案,加载在 Microsoft Windows 或 UNIX/Linux 操作系统环境之上的程序代码。这正是 2 类虚拟机管理程序的工作原理(请参阅图7.3)已部署。2 类虚拟机管理程序的一些示例包括 VMware Workstation 和 Oracle VM Virtual Box。

As mentioned earlier, the hypervisor sits between the hardware and the VMs. There are two types of hypervisors, distinguished by whether there is another operating system between the hypervisor and the host. A Type 1 hypervisor (see part a of Figure 7.3) is loaded as a thin software layer directly into a physical server, much like an operating system is loaded. Once it is installed and configured, usually within a matter of minutes, the server can then support VMs as guests. In mature environments, where virtualization hosts are clustered together for increased availability and load balancing, a hypervisor can be staged on a new host, the new host can be joined to an existing cluster, and VMs can be moved to the new host without any interruption of service. Some examples of Type 1 hypervisors are VMware ESXi, Microsoft Hyper-V, and the various open source Xen variants. This idea that the hypervisor is loaded onto the “bare metal” of a server is usually a difficult concept for people to understand. They are more comfortable with a solution that works as a traditional application, program code that is loaded on top of a Microsoft Windows or UNIX/Linux operating system environment. This is exactly how a Type 2 hypervisor (see part b of Figure 7.3) is deployed. Some examples of Type 2 hypervisors are VMware Workstation and Oracle VM Virtual Box.

 
图像

图 7.3类型 1 和类型 2 虚拟机监视器

FIGURE 7.3 Type 1 and Type 2 Virtual Machine Monitors

 

类型 1 和类型 2 虚拟机管理程序之间存在一些重要差异。类型 1 虚拟机管理程序部署在物理主机上,可以直接控制该主机的物理资源,而类型 2 虚拟机管理程序在其自身和这些资源之间有一个操作系统,并依赖操作系统来处理虚拟机管理程序上的所有硬件交互。代表。通常,类型 1 虚拟机管理程序的性能优于类型 2,因为类型 1 虚拟机管理程序没有额外的层。由于 Type 1 hypervisor 不会与操作系统竞争资源,因此主机上有更多可用资源,并且通过扩展,可以使用 Type 1 hypervisor 在虚拟化服务器上​​托管更多 VM。1 类虚拟机管理程序也被认为比 2 类虚拟机管理程序更安全。类型 1 虚拟机管理程序上的虚拟机发出在该来宾外部处理的资源请求,并且它们不会影响其他虚拟机或支持它们的虚拟机管理程序。对于 2 类虚拟机管理程序上的虚拟机来说,情况不一定如此,恶意来宾可能会影响到比其本身更多的内容。类型 1 虚拟机管理程序实现不需要主机操作系统的成本,但真正的成本比较将是一个更复杂的讨论。2 类虚拟机管理程序允许用户利用虚拟化,而无需将服务器专用于该功能。除了利用 PC 操作系统提供的个人高效工作空间之外,需要在流程中运行多个环境的开发人员,可以通过在 Linux 或 Windows 桌面上作为应用程序安装的 2 类虚拟机管理程序来完成这两项任务。创建和使用的虚拟机可以从一个虚拟机管理程序环境迁移或复制到另一个虚拟机管理程序环境,从而减少部署时间并提高部署内容的准确性,从而缩短项目的上市时间。

There are some important differences between the Type 1 and the Type 2 hypervisors. A Type 1 hypervisor is deployed on a physical host and can directly control the physical resources of that host, whereas a Type 2 hypervisor has an operating system between itself and those resources and relies on the operating system to handle all the hardware interactions on the hypervisor’s behalf. Typically, Type 1 hypervisors perform better than Type 2 because Type 1 hypervisors do not have that extra layer. Because a Type 1 hypervisor doesn’t compete for resources with an operating system, there are more resources available on the host, and by extension, more VMs can be hosted on a virtualization server using a Type 1 hypervisor. Type 1 hypervisors are also considered to be more secure than the Type 2 hypervisors. VMs on a Type 1 hypervisor make resource requests that are handled external to that guest, and they cannot affect other VMs or the hypervisor by which they are supported. This is not necessarily true for VMs on a Type 2 hypervisor and a malicious guest could potentially affect more than itself. A Type 1 hypervisor implementation would not require the cost of a host operating system, though a true cost comparison would be a more complicated discussion. Type 2 hypervisors allow a user to take advantage of virtualization without needing to dedicate a server to only that function. Developers who need to run multiple environments as part of their process, in addition to taking advantage of the personal productive workspace that a PC operating system provides, can do both with a Type 2 hypervisor installed as an application on their Linux or Windows desktop. The VMs that are created and used can be migrated or copied from one hypervisor environment to another, reducing deployment time and increasing the accuracy of what is deployed, reducing the time to market of a project.

 

容器虚拟化

Container Virtualization

 

一种相对较新的虚拟化方法称为容器虚拟化。在这种方法中,称为虚拟化容器的软件在主机操作系统内核之上运行,并为应用程序提供执行环境(图7.4)。与基于虚拟机管理程序的虚拟机不同,容器的目的不是模拟物理服务器。相反,主机上的所有容器化应用程序共享一个通用的操作系统内核。这消除了为每个应用程序运行单独操作系统所需的资源,并且可以大大减少开销。

A relatively recent approach to virtualization is known as container virtualization. In this approach, software, known as a virtualization container, runs on top of the host OS kernel and provides an execution environment for applications (Figure 7.4). Unlike hypervisor-based VMs, containers do not aim to emulate physical servers. Instead, all containerized applications on a host share a common OS kernel. This eliminates the resources needed to run a separate OS for each application and can greatly reduce overhead.

 
图像

图 7.4容器虚拟化

FIGURE 7.4 Container Virtualization

 

由于容器在同一内核上执行,因此共享大部分基本操作系统,因此与虚拟机管理程序/来宾操作系统 VM 布置相比,容器要小得多且重量轻得多。因此,与可支持的虚拟机管理程序和来宾操作系统的数量有限相比,操作系统可以在其上运行许多容器。

Because the containers execute on the same kernel, thus sharing most of the base OS, containers are much smaller and lighter weight compared to a hypervisor/guest OS VM arrangement. Accordingly, an OS can have many containers running on top of it, compared to the limited number of hypervisors and guest operating systems that can be supported.

 

7.3 NFV概念

7.3 NFV Concepts

 

第 2 章要求和技术”将网络功能虚拟化 (NFV) 定义为通过在软件中实现这些功能并在虚拟机上运行这些功能来实现网络功能的虚拟化。NFV 与传统的网络服务设计、部署和管理方法有很大不同。NFV 将网络功能(例如网络地址转换 (NAT)、防火墙、入侵检测、域名服务 (DNS) 和缓存)与专有硬件设备解耦,以便它们可以在虚拟机上的软件中运行。NFV 基于标准 VM 技术构建,将其用途扩展到网络领域。

Chapter 2, “Requirements and Technology,” defined network functions virtualization (NFV) as the virtualization of network functions by implementing these functions in software and running them on VMs. NFV is a significant departure from traditional approaches to the design, deployment, and management of networking services. NFV decouples network functions, such as Network Address Translation (NAT), firewalling, intrusion detection, Domain Name Service (DNS), and caching, from proprietary hardware appliances so that they can run in software on VMs. NFV builds on standard VM technologies, extending their use into the networking domain.

 

正如第 7.2 节中所讨论的,虚拟机技术可以将专用应用程序和数据库服务器迁移到商用现成 (COTS) x86 服务器。相同的技术可以应用于基于网络的设备,包括:

Virtual machine technology, as discussed in Section 7.2, enables migration of dedicated application and database servers to commercial off-the-shelf (COTS) x86 servers. The same technology can be applied to network-based devices, including the following:

 

图像 网络功能设备:例如交换机、路由器、网络接入点、客户端设备(CPE)和深度数据包检查器(用于深度数据包检查)。

Network function devices: Such as switches, routers, network access points, customer premises equipment (CPE), and deep packet inspectors (for deep packet inspection).

 

图像 与网络相关的计算设备:例如防火墙、入侵检测系统和网络管理系统。

Network-related compute devices: Such as firewalls, intrusion detection systems, and network management systems.

 

图像 网络附加存储:附加到网络的文件和数据库服务器。

Network-attached storage: File and database servers attached to the network.

 

在传统网络中,所有设备都部署在专有/封闭平台上。所有网元都是封闭的盒子,硬件不能共享。每个设备都需要额外的硬件来增加容量,但当系统运行低于容量时,该硬件将处于空闲状态。然而,对于 NFV,网元是独立的应用程序,可以灵活部署在由标准服务器、存储设备和交换机组成的统一平台上。这样就实现了软件和硬件的解耦,通过增减虚拟资源来增减每个应用的容量(见图7.5)。

In traditional networks, all devices are deployed on proprietary/closed platforms. All network elements are enclosed boxes, and hardware cannot be shared. Each device requires additional hardware for increased capacity, but this hardware is idle when the system is running below capacity. With NFV, however, network elements are independent applications that are flexibly deployed on a unified platform comprising standard servers, storage devices, and switches. In this way, software and hardware are decoupled, and capacity for each application is increased or decreased by adding or reducing virtual resources (see Figure 7.5).

 
图像

图 7.5网络功能可视化愿景

FIGURE 7.5 Vision for Network Functions Visualization

 

根据广泛共识,作为欧洲电信标准协会 (ETSI) 一部分创建的网络功能虚拟化行业标准组 (ISG NFV) 在制定 NFV 标准方面处于领先地位,甚至几乎是唯一的角色。ISG NFV 由七家主要电信网络运营商于 2012 年成立。此后,其成员不断壮大,包括网络设备供应商、网络技术公司、其他 IT 公司以及云服务提供商等服务提供商。

By broad consensus, the Network Functions Virtualization Industry Standards Group (ISG NFV), created as part of the European Telecommunications Standards Institute (ETSI), has the lead and indeed almost the sole role in creating NFV standards. ISG NFV was established in 2012 by seven major telecommunications network operators. Its membership has since grown to include network equipment vendors, network technology companies, other IT companies, and service providers such as cloud service providers.

 
图像

NFV ISG

NFV ISG

 

ISG NFV 于 2013 年 10 月发布了第一批规范,随后于 2014 年底和 2015 年初更新了大部分规范。表 7.1 显示了截至 2015 年初的完整规范列表。表 7.2提供了所使用的一些术语的定义在 ISG NFV 文档和一般 NFV 文献中。

ISG NFV published the first batch of specifications in October 2013, and subsequently updated most of those in late 2014 and early 2015. Table 7.1 shows the complete list of specifications as of early 2015. Table 7.2 provides definitions for a number of terms that are used in the ISG NFV documents and the NFV literature in general.

 
图像

表 7.1 ISG NFV 规范

TABLE 7.1 ISG NFV Specifications

 
图像
图像

表 7.2 NFV 术语

TABLE 7.2 NFV Terminology

 

NFV 使用的简单示例

Simple Example of the Use of NFV

 

本节考虑 NFV 架构框架文档中的一个简单示例。图 7.6的 a 部分显示了网络服务的物理实现。在顶层,网络服务由通过网络功能块(称为网络功能(NF))的转发图连接的端点组成。NF 的示例包括防火墙、负载平衡器和无线网络接入点。在架构框架中,NF 被视为不同的物理节点。端点超出了 NFV 规范的范围,包括所有客户拥有的设备。因此,在图中,端点 A 可以是智能手机,端点 B 可以是内容分发网络 (CDN) 服务器。

This section considers a simple example from the NFV Architectural Framework document. Part a of Figure 7.6 shows a physical realization of a network service. At a top level, the network service consists of endpoints connected by a forwarding graph of network functional blocks, called network functions (NFs). Examples of NFs are firewalls, load balancers, and wireless network access points. In the Architectural Framework, NFs are viewed as distinct physical nodes. The endpoints are beyond the scope of the NFV specifications and include all customer-owned devices. So, in the figure, endpoint A could be a smartphone and endpoint B a content delivery network (CDN) server.

 
图像

图 7.6简单的 NFV 配置示例

FIGURE 7.6 A Simple NFV Configuration Example

 

图 7.6的 a 部分强调了与服务提供商和客户相关的网络功能。NF和端点之间的互连用虚线表示,代表逻辑链路。这些逻辑链路由通过基础设施网络(有线或无线)的物理路径支持。

Part a of Figure 7.6 highlights the network functions that are relevant to the service provider and customer. The interconnections among the NFs and endpoints are depicted by dashed lines, representing logical links. These logical links are supported by physical paths through infrastructure networks (wired or wireless).

 

图 7.6的 b 部分说明了可以在图 7.6的 a 部分的物理配置上实现的虚拟化网络服务配置。VNF-1为端点A提供网络访问,VNF-2为端点B提供网络访问。图中还描述了由其他VNF(即VNF-2A)构建的嵌套VNF转发图(VNF-FG-2)的情况、VNF-2B 和 VNF-2C)。所有这些 VNF 作为虚拟机在物理机上运行,​​称为存在点 (PoP)。此配置说明了几个重要点。首先,VNF-FG-2 由三个 VNF 组成,尽管最终所有经过 VNF-FG-2 的流量都在 VNF-1 和 VNF-3 之间。其原因是正在执行三个独立且不同的网络功能。例如,某些流量可能需要接受流量监管或整形功能,这可以由 VNF-2C 执行。因此,一些流量将通过 VNF-2C 路由,而其他流量将绕过此网络功能。

Part b of Figure 7.6 illustrates a virtualized network service configuration that could be implemented on the physical configuration of part a of Figure 7.6. VNF-1 provides network access for endpoint A, and VNF-2 provides network access for B. The figure also depicts the case of a nested VNF forwarding graph (VNF-FG-2) constructed from other VNFs (that is, VNF-2A, VNF-2B and VNF-2C). All of these VNFs run as VMs on physical machines, called points of presence (PoPs). This configuration illustrates several important points. First, VNF-FG-2 consists of three VNFs even though ultimately all the traffic transiting VNF-FG-2 is between VNF-1 and VNF-3. The reason for this is that three separate and distinct network functions are being performed. For example, it may be that some traffic flows need to be subjected to a traffic policing or shaping function, which could be performed by VNF-2C. So, some flows would be routed through VNF-2C, while others would bypass this network function.

 

第二个观察结果是,VNF-FG-2 中的两个虚拟机托管在同一台物理机上。由于这两个虚拟机执行不同的功能,因此它们需要在虚拟资源级别上有所不同,但可以由同一台物理机支持。但这不是必需的,出于性能原因,网络管理功能可能在某个时刻决定将其中一个虚拟机迁移到另一台物理机器。这种移动在虚拟资源级别是透明的。

A second observation is that two of the VMs in VNF-FG-2 are hosted on the same physical machine. Because these two VMs perform different functions, they need to be distinct at the virtual resource level but can be supported by the same physical machine. But this is not required, and a network management function may at some point decide to migrate one of the VMs to another physical machine, for reasons of performance. This movement is transparent at the virtual resource level.

 

NFV原则

NFV Principles

 

如图 7.6所示,VNF 是用于创建端到端网络服务的构建块。创建实用网络服务涉及三个关键 NFV 原则:

As suggested by Figure 7.6, the VNFs are the building blocks used to create end-to-end network services. Three key NFV principles are involved in creating practical network services:

 

图像 服务链: VNF 是模块化的,每个 VNF 本身提供有限的功能。对于给定应用程序中的给定流量,服务提供商通过多个 VNF 引导流量以实现所需的网络功能。这称为服务链。

Service chaining: VNFs are modular and each VNF provides limited functionality on its own. For a given traffic flow within a given application, the service provider steers the flow through multiple VNFs to achieve the desired network functionality. This is referred to as service chaining.

 

图像 管理和编排 (MANO):这涉及部署和管理 VNF 实例的生命周期。示例包括 VNF 实例创建、VNF 服务链、监控、迁移、关闭和计费。MANO 还管理 NFV 基础设施元素。

Management and orchestration (MANO): This involves deploying and managing the lifecycle of VNF instances. Examples include VNF instance creation, VNF service chaining, monitoring, relocation, shutdown, and billing. MANO also manages the NFV infrastructure elements.

 

图像 分布式架构: VNF 可能由一个或多个 VNF 组件 (VNFC) 组成,每个组件实现 VNF 功能的子集。每个 VNFC 可以部署在一个或多个实例中。这些实例可以部署在单独的分布式主机上,以提供可扩展性和冗余。

Distributed architecture: A VNF may be made up of one or more VNF components (VNFC), each of which implements a subset of the VNF’s functionality. Each VNFC may be deployed in one or multiple instances. These instances may be deployed on separate, distributed hosts to provide scalability and redundancy.

 

高级 NFV 框架

High-Level NFV Framework

 

图 7.7显示了 ISG NFV 定义的 NFV 框架的高级视图。该框架支持将网络功能实现为纯软件 VNF。我们用它来提供 NFV 架构的概述,第 8 章NFV 功能”中对此进行了更详细的研究。

Figure 7.7 shows a high-level view of the NFV framework defined by ISG NFV. This framework supports the implementation of network functions as software-only VNFs. We use this to provide an overview of the NFV architecture, which is examined in more detail in Chapter 8, “NFV Functionality.”

 
图像

图 7.7高级 NFV 框架

FIGURE 7.7 High-Level NFV Framework

 

NFV 框架由三个操作域组成:

The NFV framework consists of three domains of operation:

 

图像 虚拟化网络功能: VNF 的集合,以软件实现,在 NFVI 上运行。

Virtualized network functions: The collection of VNFs, implemented in software, that run over the NFVI.

 

图像 NFV基础设施(NFVI): NFVI对网络服务环境中的三大类设备计算机设备、存储设备和网络设备执行虚拟化功能。

NFV infrastructure (NFVI): The NFVI performs a virtualization function on the three main categories of devices in the network service environment: computer devices, storage devices, and network devices.

 

图像 NFV管理和编排:包括支持基础设施虚拟化的物理/软件资源的编排和生命周期管理,以及VNF的生命周期管理。NFV 管理和编排重点关注 NFV 框架中所需的所有虚拟化特定管理任务。

NFV management and orchestration: Encompasses the orchestration and lifecycle management of physical/software resources that support the infrastructure virtualization, and the lifecycle management of VNFs. NFV management and orchestration focuses on all virtualization-specific management tasks necessary in the NFV framework.

 

ISG NFV架构框架文件规定,在VNF的部署、运行、管理和编排中,支持两种VNF之间的关系:

The ISG NFV Architectural Framework document specifies that in the deployment, operation, management and orchestration of VNFs, two types of relations between VNFs are supported:

 

图像 VNF 转发图 (VNF FG):涵盖指定 VNF 之间的网络连接的情况,例如通往 Web 服务器层(例如防火墙、网络地址转换器、负载均衡器)的路径上的 VNF 链。

VNF forwarding graph (VNF FG): Covers the case where network connectivity between VNFs is specified, such as a chain of VNFs on the path to a web server tier (for example, firewall, network address translator, load balancer).

 

图像 VNF set:涵盖未指定VNF之间连接的情况,例如Web服务器池。

VNF set: Covers the case where the connectivity between VNFs is not specified, such as a web server pool.

 

7.4 NFV 的优势和要求

7.4 NFV Benefits and Requirements

 

在考虑了 NFV 概念的概述后,我们现在可以总结 NFV 的主要优势以及成功实施的要求。

Having considered on overview of NFV concepts, we can now summarize key benefits of NFV and requirements for successful implementation.

 

NFV 的好处

NFV Benefits

 

如果高效且有效地实施 NFV,与传统网络方法相比,它可以带来许多好处。以下是最重要的潜在好处:

If NFV is implemented efficiently and effectively, it can provide a number of benefits compared to traditional networking approaches. The following are the most important potential benefits:

 

图像通过使用商用服务器和交换机、整合设备、利用规模经济以及支持按需增长模式来消除浪费的过度配置,从而降低资本支出这或许是 NFV 的主要驱动力。

Reduced CapEx, by using commodity servers and switches, consolidating equipment, exploiting economies of scale, and supporting pay-as-you grow models to eliminate wasteful overprovisioning. This is perhaps the main driver for NFV.

 

图像通过使用商用服务器和交换机、整合设备、利用规模经济以及减少网络管理和控制费用,降低了功耗和空间使用方面的运营支出减少资本支出和运营支出可能是 NFV 的主要驱动力。

Reduced OpEx, in terms of power consumption and space usage, by using commodity servers and switches, consolidating equipment, and exploiting economies of scale, and reduced network management and control expenses. Reduced CapeX and OpEx are perhaps the main drivers for NFV.

 

图像快速创新和推出服务的能力,减少部署新网络服务的时间,以支持不断变化的业务需求,抓住新的市场机会,并提高新服务的投资回报率。还降低了推出新服务的相关风险,使提供商能够轻松试用和改进服务,以确定最能满足客户需求的服务。

The ability to innovate and roll out services quickly, reducing the time to deploy new networking services to support changing business requirements, seize new market opportunities, and improve return on investment of new services. Also lowers the risks associated with rolling out new services, allowing providers to easily trial and evolve services to determine what best meets the needs of customers.

 

图像由于标准化和开放的接口,易于互操作。

Ease of interoperability because of standardized and open interfaces.

 

图像针对不同的应用程序、用户和租户使用单一平台。这使得网络运营商可以跨服务和跨不同客户群共享资源。

Use of a single platform for different applications, users and tenants. This allows network operators to share resources across services and across different customer bases.

 

图像通过快速扩展或缩减服务来满足不断变化的需求,提供敏捷性和灵活性。

Provided agility and flexibility, by quickly scaling up or down services to address changing demands.

 

图像可以根据地理位置或客户群进行有针对性的服务介绍。服务可以根据需要快速扩展/缩减。

Targeted service introduction based on geography or customer sets is possible. Services can be rapidly scaled up/down as required.

 

图像生态系统多种多样,鼓励开放。它向纯软件进入者、小型参与者和学术界开放了虚拟设备市场,鼓励更多创新,以低得多的风险快速带来新服务和新收入流。

A wide variety of ecosystems and encourages openness. It opens the virtual appliance market to pure software entrants, small players and academia, encouraging more innovation to bring new services and new revenue streams quickly at much lower risk.

 

NFV 要求

NFV Requirements

 

为了提供这些优势,NFV 的设计和实施必须满足许多要求和技术挑战,包括以下内容 [ ISGN12 ]:

To deliver these benefits, NFV must be designed and implemented to meet a number of requirements and technical challenges, including the following [ISGN12]:

 

图像 可移植性/互操作性:在各种标准化硬件平台上加载和执行不同供应商提供的 VNF 的能力。面临的挑战是定义一个统一的接口,将软件实例与底层硬件(以虚拟机及其虚拟机管理程序为代表)明确分离。

Portability/interoperability: The capability to load and execute VNFs provided by different vendors on a variety of standardized hardware platforms. The challenge is to define a unified interface that clearly decouples the software instances from the underlying hardware, as represented by VMs and their hypervisors.

 

图像 性能权衡:由于 NFV 方法基于行业标准硬件(即避免使用加速引擎等任何专有硬件),因此必须考虑性能可能下降的情况。面临的挑战是如何通过使用适当的虚拟机管理程序和现代软件技术来尽可能减少性能下降,从而最大限度地减少对延迟、吞吐量和处理开销的影响。

Performance trade-off: Because the NFV approach is based on industry standard hardware (that is, avoiding any proprietary hardware such as acceleration engines), a probable decrease in performance has to be taken into account. The challenge is how to keep the performance degradation as small as possible by using appropriate hypervisors and modern software technologies, so that the effects on latency, throughput, and processing overhead are minimized.

 

图像 传统设备的迁移和共存: NFV 架构必须支持从当今专有的基于物理网络设备的解决方案到更开放的基于标准的虚拟网络设备解决方案的迁移路径。换句话说,NFV必须工作在由经典物理网络设备和虚拟网络设备组成的混合网络中。因此,虚拟设备必须使用现有的北向接口(用于管理和控制)并与实现相同功能的物理设备互操作。

Migration and coexistence with respect to legacy equipment: The NFV architecture must support a migration path from today’s proprietary physical network appliance-based solutions to more open standards-based virtual network appliance solutions. In other words, NFV must work in a hybrid network composed of classical physical network appliances and virtual network appliances. Virtual appliances must therefore use existing northbound Interfaces (for management and control) and interwork with physical appliances implementing the same functions.

 

图像 管理和编排:需要一致的管理和编排架构。通过在开放和标准化基础设施中运行的软件网络设备所提供的灵活性,NFV 提供了一个机会,可以将管理和编排北向接口快速调整为明确定义的标准和抽象规范。

Management and orchestration: A consistent management and orchestration architecture is required. NFV presents an opportunity, through the flexibility afforded by software network appliances operating in an open and standardized infrastructure, to rapidly align management and orchestration northbound interfaces to well defined standards and abstract specifications.

 

图像 自动化:只有所有功能都可以自动化,NFV 才能扩展。流程自动化对于成功至关重要。

Automation: NFV will scale only if all the functions can be automated. Automation of process is paramount to success.

 

图像 安全性和弹性:引入 VNF 时,网络的安全性、弹性和可用性不应受到损害。

Security and resilience: The security, resilience, and availability of their networks should not be impaired when VNFs are introduced.

 

图像 网络稳定性:在不同硬件供应商和管理程序之间管理和编排大量虚拟设备时,确保网络稳定性不受影响。例如,当虚拟功能被重新定位、或在重新配置事件期间(例如,由于硬件和软件故障)或由于网络攻击时,这一点尤其重要。

Network stability: Ensuring stability of the network is not impacted when managing and orchestrating a large number of virtual appliances between different hardware vendors and hypervisors. This is particularly important when, for example, virtual functions are relocated, or during reconfiguration events (for example, because of hardware and software failures) or because of cyber-attack.

 

图像 简单性:确保虚拟化网络平台比现有的平台更易于操作。网络运营商的一个重要关注点是简化经过数十年网络技术演进而发展起来的大量复杂网络平台和支持系统,同时保持连续性以支持重要的创收服务。

Simplicity: Ensuring that virtualized network platforms will be simpler to operate than those that exist today. A significant focus for network operators is simplification of the plethora of complex network platforms and support systems that have evolved over decades of network technology evolution, while maintaining continuity to support important revenue generating services.

 

图像 集成:网络运营商需要能够“混合搭配”来自不同供应商的服务器、来自不同供应商的虚拟机管理程序以及来自不同供应商的虚拟设备,而不会产生大量的集成成本并避免锁定。生态系统必须提供集成服务和维护以及第三方支持;必须能够解决多方之间的整合问题。该生态系统将需要验证新 NFV 产品的机制。

Integration: Network operators need to be able to “mix and match” servers from different vendors, hypervisors from different vendors, and virtual appliances from different vendors without incurring significant integration costs and avoiding lock-in. The ecosystem must offer integration services and maintenance and third-party support; it must be possible to resolve integration issues between several parties. The ecosystem will require mechanisms to validate new NFV products.

 

7.5 NFV参考架构

7.5 NFV Reference Architecture

 

图 7.7提供了 NFV 框架的高级视图。图 7.8显示了 ISG NFV 参考架构框架的更详细信息。您可以将此架构视为由四个主要块组成:

Figure 7.7 provided a high-level view of the NFV framework. Figure 7.8 shows a more detailed look at the ISG NFV reference architectural framework. You can view this architecture as consisting of four major blocks:

 
图像

图 7.8 NFV 参考架构框架

FIGURE 7.8 NFV Reference Architectural Framework

 

图像 NFV 基础设施 (NFVI):包含创建 VNF 部署环境的硬件和软件资源。NFVI 将物理计算、存储和网络虚拟化,并将其放入资源池中。

NFV infrastructure (NFVI): Comprises the hardware and software resources that create the environment in which VNFs are deployed. NFVI virtualizes physical computing, storage, and networking and places them into resource pools.

 

图像 VNF/EMS:以软件实现的在虚拟计算、存储和网络资源上运行的 VNF 集合,以及管理 VNF 的元素管理系统 (EMS) 集合。

VNF/EMS: The collection of VNFs implemented in software to run on virtual computing, storage, and networking resources, together with a collection of element management systems (EMS) that manage the VNFs.

 

图像 NFV 管理和编排 (NFV-MANO):用于管理和编排 NFV 环境中所有资源的框架。这包括计算、网络、存储和虚拟机资源。

NFV management and orchestration (NFV-MANO): Framework for the management and orchestration of all resources in the NFV environment. This includes computing, networking, storage, and VM resources.

 

图像 OSS/BSS:由VNF服务提供商实施的运营和业务支持系统。

OSS/BSS: Operational and business support systems implemented by the VNF service provider.

 

将架构视为由三层组成也很有用。NFVI 与虚拟化基础设施管理器一起提供和管理虚拟化资源环境及其底层物理资源。VNF层提供网络功能的软件实现,以及网元管理系统和一个或多个VNF管理器。最后,还有一个管理、编排和控制层,由 OSS/BSS 和 NFV 编排器组成。

It is also useful to view the architecture as consisting of three layers. The NFVI together with the virtualized infrastructure manager provide and manage the virtual resource environment and its underlying physical resources. The VNF layer provides the software implementation of network functions, together with element management systems and one or more VNF managers. Finally, there is a management, orchestration, and control layer consisting of OSS/BSS and the NFV orchestrator.

 

NFV 管理和编排

NFV Management and Orchestration

 

NFV 管理和编排工具包括以下功能块:

The NFV management and orchestration facility includes the following functional blocks:

 

图像 NFV协调器:负责安装和配置新的网络服务(NS)和虚拟网络功能(VNF)包、NS生命周期管理、全局资源管理以及NFVI资源请求的验证和授权。

NFV orchestrator: Responsible for installing and configuring new network services (NS) and virtual network function (VNF) packages, NS lifecycle management, global resource management, and validation and authorization of NFVI resource requests.

 

图像 VNF 管理器:监督 VNF 实例的生命周期管理。

VNF manager: Oversees lifecycle management of VNF instances.

 

图像 虚拟化基础设施管理器:除了虚拟化之外,还控制和管理 VNF 与其权限下的计算、存储和网络资源的交互。

Virtualized infrastructure manager: Controls and manages the interaction of a VNF with computing, storage, and network resources under its authority, in addition to their virtualization.

 

参考点

Reference Points

 

图 7.8还定义了构成功能块之间接口的许多参考点。主要(命名)参考点和执行参考点以实线显示,并且在 NFV 的范围内。这些是标准化的潜在目标。虚线参考点在当前部署中可用,但可能需要扩展来处理网络功能虚拟化。虚线参考点目前不是 NFV 的重点。

Figure 7.8 also defines a number of reference points that constitute interfaces between functional blocks. The main (named) reference points and execution reference points are shown by solid lines and are in the scope of NFV. These are potential targets for standardization. The dashed line reference points are available in present deployments but might need extensions for handling network function virtualization. The dotted reference points are not a focus of NFV at present.

 

主要参考点包括以下考虑因素:

The main reference points include the following considerations:

 

图像 Vi-Ha:标记物理硬件的接口。定义良好的接口规范将有助于运营商为不同目的共享物理资源、为不同目的重新分配资源、独立发展软件和硬件以及从不同供应商获取软件和硬件组件。

Vi-Ha: Marks interfaces to the physical hardware. A well-defined interface specification will facilitate for operators sharing physical resources for different purposes, reassigning resources for different purposes, evolving software and hardware independently, and obtaining software and hardware component from different vendors.

 

图像 Vn-Nf:这些接口是 VNF 用于在虚拟基础架构上执行的 API。应用程序开发人员,无论是迁移现有网络功能还是开发新的 VNF,都需要一个一致的接口来提供功能以及指定性能、可靠性和可扩展性要求的能力。

Vn-Nf: These interfaces are APIs used by VNFs to execute on the virtual infrastructure. Application developers, whether migrating existing network functions or developing new VNFs, require a consistent interface the provides functionality and the ability to specify performance, reliability, and scalability requirements.

 

图像 Nf-Vi:标记 NFVI 和虚拟化基础设施管理器 (VIM) 之间的接口。该接口可以促进 NFVI 为 VIM 提供的功能的规范。VIM 必须能够管理所有 NFVI 虚拟资源,包括分配、系统利用率监控和故障管理。

Nf-Vi: Marks interfaces between the NFVI and the virtualized infrastructure manager (VIM). This interface can facilitate specification of the capabilities that the NFVI provides for the VIM. The VIM must be able to manage all the NFVI virtual resources, including allocation, monitoring of system utilization, and fault management.

 

图像 Or-Vnfm:该参考点用于向VNF管理器发送配置信息,并收集网络服务生命周期管理所需的VNF状态信息。

Or-Vnfm: This reference point is used for sending configuration information to the VNF manager and collecting state information of the VNFs necessary for network service lifecycle management.

 

图像 Vi-Vnfm:用于VNF管理器的资源分配请求以及资源配置和状态信息的交换。

Vi-Vnfm: Used for resource allocation requests by the VNF manager and the exchange of resource configuration and state information.

 

图像 Or-Vi:用于 NFV 协调器的资源分配请求以及资源配置和状态信息的交换。

Or-Vi: Used for resource allocation requests by the NFV orchestrator and the exchange of resource configuration and state information.

 

图像 Os-Ma:用于协调器和OSS/BSS系统之间的交互。

Os-Ma: Used for interaction between the orchestrator and the OSS/BSS systems.

 

图像 Ve-Vnfm:用于VNF生命周期管理以及配置和状态信息交换的请求。

Ve-Vnfm: Used for requests for VNF lifecycle management and exchange of configuration and state information.

 

图像 Se-Ma:编排器和数据集之间的接口,提供有关 VNF 部署模板、VNF 转发图、服务相关信息和 NFV 基础设施信息模型的信息。

Se-Ma: Interface between the orchestrator and a data set that provides information regarding the VNF deployment template, VNF forwarding graph, service-related information, and NFV infrastructure information models.

 

执行

Implementation

 

与 SDN 一样,NFV 的成功需要适当的接口参考点的标准以及常用功能的开源软件。多年来,ISG NFV 一直致力于制定 NFV 各种接口和组件的标准。2014年9月,Linux基金会宣布了NFV开放平台(OPNFV)项目。OPNFV旨在成为一个运营商级的集成平台,能够更快地向行业推出新产品和服务。OPNFV 的主要目标如下:

As with SDN, success for NFV requires standards at appropriate interface reference points and open source software for commonly used functions. For several years, ISG NFV is working on standards for the various interfaces and components of NFV. In September of 2014, the Linux Foundation announced the Open Platform for NFV (OPNFV) project. OPNFV aims to be a carrier-grade, integrated platform that introduces new products and services to the industry more quickly. The key objectives of OPNFV are as follows:

 
图像

NFV 开放平台 (OPNFV)

Open Platform for NFV (OPNFV)

 

图像开发一个集成且经过测试的开源平台,可用于研究和演示核心 NFV 功能。

Develop an integrated and tested open source platform that can be used to investigate and demonstrate core NFV functionality.

 

图像确保领先最终用户的主动参与,以验证 OPNFV 版本是否满足参与运营商的需求。

Secure proactive participation of leading end users to validate that OPNFV releases address participating operators’ needs.

 

图像对将在 OPNFV 参考平台中采用的相关开源项目产生影响并做出贡献。

Influence and contribute to the relevant open source projects that will be adopted in the OPNFV reference platform.

 

图像基于开放标准和开源软件,建立NFV解决方案的开放生态系统。

Establish an open ecosystem for NFV solutions based on open standards and open source software.

 

图像将 OPNFV 推广为首选开放参考平台,以避免不必要且成本高昂的重复工作。

Promote OPNFV as the preferred open reference platform to avoid unnecessary and costly duplication of effort.

 

OPNFV 和 ISG NFV 是独立的举措,但它们很可能将密切合作,以确保 OPNFV 实施保持在 ISG NFV 定义的标准化环境内。

OPNFV and ISG NFV are independent initiatives but it is likely that they will work closely together to assure that OPNFV implementations remain within the standardized environment defined by ISG NFV.

 

OPNFV 的初始范围将是构建 NFVI、VIM,并包括与其他 NFV 元素的应用程序可编程接口 (API),这些元素共同构成 VNF 和 MANO 组件所需的基本基础设施。该范围在图 7.9中突出显示,由 NFVI 和 VMI 组成。以此平台作为公共基础,供应商可以通过开发 VNF 软件包以及相关的 VNF 管理器和编排器软件来增加价值。

The initial scope of OPNFV will be on building NFVI, VIM, and including application programmable interfaces (APIs) to other NFV elements, which together form the basic infrastructure required for VNFs and MANO components. This scope is highlighted in Figure 7.9 as consisting of NFVI and VMI. With this platform as a common base, vendors can add value by developing VNF software packages and associated VNF manager and orchestrator software.

 
图像

图 7.9 NFV 实施

FIGURE 7.9 NFV Implementation

 

7.6 关键术语

7.6 Key Terms

 

完成本章后,您应该能够定义以下术语。

After completing this chapter, you should be able to define the following terms.

 

业务支持系统(BSS)

business support system (BSS)

 

资本支出(CapEx)

capital expenditure (CapEx)

 

商业现货 (COTS)

commercial off-the-shelf (COTS)

 

合并率

consolidation ratio

 

硬件虚拟化

hardware virtualization

 

管理程序

hypervisor

 

管理程序域

hypervisor domain

 

基于基础设施的虚拟网络

infrastructure-based virtual network

 

L2虚拟网络

L2 virtual network

 

网络功能虚拟化 (NFV)

network functions virtualization (NFV)

 

NFV 开放平台 (OPNFV)

Open Platform for NFV (OPNFV)

 

运营支出(OpEx)

operational expenditure (OpEx)

 

存在点 (PoP)

point of presence (PoP)

 

缩小

scale down

 

缩小规模

scale in

 

1 类管理程序

Type 1 hypervisor

 

2 类虚拟机管理程序

Type 2 hypervisor

 

虚拟机(VM)

virtual machine (VM)

 

虚拟机监视器 (VMM)

virtual machine monitor (VMM)

 

7.7 参考文献

7.7 References

 

ISGN12 ISG NFV。网络功能虚拟化:简介、优势、推动因素、挑战和行动呼吁。ISG NFV 白皮书,2012 年 10 月。

ISGN12: ISG NFV. Network Functions Virtualization: An Introduction, Benefits, Enablers, Challenges & Call for Action. ISG NFV White Paper, October 2012.

 

第 8 章NFV 功能

Chapter 8. NFV Functionality

 

世界已经进入了一个廉价、复杂且高度可靠的设备时代。必然会有一些结果。

The world has arrived at an age of cheap, complex devices of great reliability; and something is bound to come of it.

 

——“正如我们所想的那样”,万尼瓦尔·布什,《大西洋月刊》,1945 年 7 月

—“As We May Think,” Vannevar Bush, The Atlantic, July 1945

 

本章目标 学习完本章后,您应该能够

 

图像解释 NFV 基础设施的要素及其相互关系。

 

图像了解与虚拟化网络功能相关的关键设计问题。

 

图像解释 NFV 管理和编排的目的和操作。

 

图像概述重要的 NFV 用例。

 

图像讨论SDN和NFV之间的关系。

 

Chapter Objectives: After studying this chapter, you should be able to

 

Explain the elements of the NFV infrastructure and their interrelationships.

 

Understand key design issues related to virtualized network functions.

 

Explain the purpose of and operation of NFV management and orchestration.

 

Present an overview of important NFV use cases.

 

Discuss the relationship between SDN and NFV.

 
 

本章总结了我们对网络功能虚拟化 (NFV) 的讨论。

This chapter concludes our discussion of network functions virtualization (NFV).

 

8.1 NFV基础设施

8.1 NFV Infrastructure

 

NFV 架构的核心是称为 NFV 基础设施 (NFVI) 的资源和功能的集合。NFVI 涵盖三个领域,如图8.1所示和下面的列表中所述。

The heart of the NFV architecture is a collection of resources and functions known as the NFV infrastructure (NFVI). The NFVI encompasses three domains, as illustrated in Figure 8.1 and described in the list that follows.

 
图像

图 8.1 NFV 域

FIGURE 8.1 NFV Domains

 

图像 计算域:提供商用现成 (COTS) 大容量服务器和存储。

Compute domain: Provides commercial off-the-shelf (COTS) high-volume servers and storage.

 

图像 管理程序域:将计算域的资源调解到软件设备的虚拟机,提供硬件的抽象。

Hypervisor domain: Mediates the resources of the compute domain to the VMs of the software appliances, providing an abstraction of the hardware.

 

图像 基础设施网络域 (IND):包含互连到网络中的所有通用大容量交换机,可配置为提供基础设施网络服务。

Infrastructure network domain (IND): Comprises all the generic high volume switches interconnected into a network that can be configured to supply infrastructure network services.

 

容器接口

Container Interface

 

在继续讨论 NFVI 之前,我们需要澄清网络功能虚拟化行业标准组 (ISG NFV) 文档中使用的容器接口的概念。不幸的是,欧洲电信标准协会 (ETSI) 文档以与容器虚拟化不同的含义使用术语“容器” 。NFV基础设施文档指出容器接口不应与容器混淆在容器虚拟化环境中使用,作为完整虚拟机的替代方案。此外,基础设施文档指出,一些虚拟网络功能(VNF)可能是为虚拟机管理程序虚拟化而设计的,而其他VNF可能是为容器虚拟化而设计的。有了这个澄清,下面将检查容器接口的概念。

Before proceeding with a discussion of NFVI, we need to clarify the concept of container interface as used in the Network Functions Virtualization Industry Standards Group (ISG NFV) documents. Unfortunately, the European Telecommunications Standards Institute (ETSI) documents use the term container in a different sense than that of container virtualization. The NFV Infrastructure document states that container interface should not be confused with container as used in the context of container virtualization as an alternative to full VMs. Further, the Infrastructure document states that some virtual network functions (VNFs) may be designed for hypervisor virtualization and other VNFs may be designed for container virtualization. With this clarification, the following examines the container interface concept.

 

ETSI文档对功能块接口和容器接口进行了区分,如下:

The ETSI documents make a distinction between a functional block interface and a container interface, as follows:

 

图像 功能块接口:执行单独(可能相同)功能的两个软件块之间的接口。该接口允许两个块之间进行通信。这两个功能块可能位于也可能不在同一物理主机上。

Functional block interface: An interface between two blocks of software that perform separate (perhaps identical) functions. The interface allows communication between the two blocks. The two functional blocks may or may not be on the same physical host.

 

图像 容器接口:主机系统上的执行环境,功能块在其中执行。功能块与提供容器接口的容器位于同一物理主机上。

Container interface: An execution environment on a host system within which a functional block executes. The functional block is on the same physical host as the container that provides the container interface.

 

容器接口的概念很重要,因为在讨论 NFV 架构中的 VM 和 VNF 以及这些功能块如何交互时,很容易忽视所有这些虚拟化功能必须在实际物理主机上执行的事实。

The concept of container interface is important because, in discussing VMs and VNFs within the NFV architecture, and how these functional blocks interact, it is easy to lose sight of the fact that all of these virtualized functions must execute on actual physical hosts.

 

图 8.2将容器和功能块接口与 NFVI 的域结构联系起来。

Figure 8.2 relates container and functional block interfaces to the domain structure of NFVI.

 
图像

图 8.2通用域架构和相关接口

FIGURE 8.2 General Domain Architecture and Associated Interfaces

 

ETSI NFVI 架构概述文档对此图提出了以下几点:

The ETSI NFVI Architecture Overview document makes the following points concerning this figure:

 

图像VNF 的架构与托管 VNF 的架构(即 NFVI)分离。

The architecture of the VNFs is separated from the architecture hosting the VNFs (that is, the NFVI).

 

图像VNF 的架构可以分为多个域,对 NFVI 产生影响,反之亦然。

The architecture of the VNFs may be divided into a number of domains with consequences for the NFVI and vice versa.

 

图像鉴于当前的技术和产业结构,计算(包括存储)、虚拟机管理程序和基础设施网络在很大程度上已经是独立的领域,并且在 NFVI 中作为独立的领域进行维护。

Given the current technology and industrial structure, compute (including storage), hypervisors, and infrastructure networking are already largely separate domains and are maintained as separate domains within the NFVI.

 

图像管理和编排往往与 NFVI 截然不同,因此有必要将其定义为自己的领域;然而,两者之间的边界通常只是通过诸如重叠区域中的元素管理功能之类的功能来松散地定义。

Management and orchestration tends to be sufficiently distinct from the NFVI as to warrant being defined as its own domain; however, the boundary between the two is often only loosely defined with functions such as element management functions in an area of overlap.

 

图像VNF 域和 NFVI 之间的接口是容器接口,而不是功能块接口。

The interface between the VNF domains and the NFVI is a container interface and not a functional block interface.

 

图像管理和编排功能也可能托管在 NFVI(作为虚拟机)中,因此也可能位于容器接口上。

The management and orchestration functions are also likely to be hosted in the NFVI (as VMs) and therefore also likely to sit on a container interface.

 

图8.2深入了解 NFV 的部署。互连VNF网络的用户视图是虚拟化网络,其中物理和较低层逻辑细节是透明的。但 VNF 和 VNF 之间的逻辑链路托管在 NFVI 容器上,而 NFVI 容器又托管在物理主机上运行的 VM 和 VM 容器上。因此,如果我们将 VNF 架构视为具有三层(物理资源、虚拟化、应用程序),则所有三层都存在于单个物理主机上。当然,功能可以分布在多个计算机和交换机主机上,但所有应用软件最终都与虚拟化软件运行在同一物理主机上。这与软件定义网络(SDN)形成对比,根据设计,数据平面功能和控制平面功能位于不同的物理主机上。应用平面SDN功能可以在与控制平面功能相同的主机上执行,但也可以在另一主机上远程执行。

Figure 8.2 gives insight into the deployment of NFV. The user view of a network of interconnected VNFs is of a virtualized network in which the physical and lower level logical details are transparent. But the VNFs and logical links between VNFs are hosted on an NFVI container, which in turn is hosted on VM and VM containers running on physical hosts. Therefore, if we view the VNF architecture as having three layers (physical resource, virtualization, application), all three layers are present on a single physical host. Of course, functionality may be distributed across multiple computer and switch hosts, but all application software ultimately runs on the same physical host as the virtualization software. This is in contrast to software-defined networking (SDN), where by design the data plane functions and the control plane functions are on separate physical hosts. Application plane SDN functions may execute on the same host as the control plane functions but may also execute remotely on another host.

 

表 8.1描述了图 8.2中标记的接口;表第二列中的数字对应于图中的编号箭头。接口4、6、7和12是容器接口,因此接口两侧的组件在同一主机上执行。接口3、8、9、10、11和14是功能块接口,在大多数情况下,接口两侧的功能块在不同的主机上执行。然而,在某些情况下,某些管理和编排软件可能托管在还托管其他 NFVI 组件的系统上。图 8.2还显示了尚未实施 NFV 的现有网络的接口 1、2、5 和 13。NFV 文件预计 NFV 通常会是随着时间的推移引入到企业设施中,因此与非 NFV 网络的交互是必要的。

Table 8.1 describes the interfaces labeled in Figure 8.2; the numbers in the second column of the table correspond to the numbered arrows in the figure. Interfaces 4, 6, 7, and 12 are container interfaces, so that components on both side of the interface are executing on the same host. Interfaces 3, 8, 9, 10, 11, and 14 are functional block interfaces and, in most cases, the functional blocks on the two sides of the interface execute on different hosts. However, in some cases, some of the management and orchestration software may be hosted on a system that also hosts other NFVI components. Figure 8.2 also shows interfaces 1, 2, 5, and 13 to existing networks that have not implemented NFV. The NFV documents anticipate that typically NFV will be introduced over time into an enterprise facility, so that interaction with non-NFV network is necessary.

 
图像
图像

表 8.1域体系结构产生的域间

TABLE 8.1 Inter-Domain Interfaces Arising from Domain Architecture

 

NFVI容器的部署

Deployment of NFVI Containers

 

单个计算或网络主机可以托管多个虚拟机 (VM),每个虚拟机可以托管一个 VNF。VM 上托管的单个 VNF 称为 VNF 组件 (VNFC)。网络功能可以由单个VNFC虚拟化,或者可以组合多个VNFC以形成单个VNF。图 8.3的 a 部分显示了单个计算节点上 VNFC 的组织。计算容器接口托管一个虚拟机管理程序,而虚拟机管理程序又可以托管多个虚拟机,每个虚拟机托管一个 VNFC。

A single compute or network host can host multiple virtual machines (VMs), each of which can host a single VNF. The single VNF hosted on a VM is referred to as a VNF component (VNFC). A network function may be virtualized by a single VNFC, or multiple VNFCs may be combined to form a single VNF. Part a of Figure 8.3 shows the organization of VNFCs on a single compute node. The compute container interface hosts a hypervisor, which in turn can host multiple VMs, each hosting a VNFC.

 
图像

图 8.3 NVFI 容器的部署

FIGURE 8.3 Deployment of NVFI Containers

 

当 VNF 由多个 VNFC 组成时,所有 VNFC 不必在同一主机中执行。如图8.3的 b 部分所示,VNFC 可以分布在由形成基础设施网络域的网络主机互连的多个计算节点上。

When a VNF is composed of multiple VNFCs, it is not necessary that all the VNFCs execute in the same host. As shown in part b of Figure 8.3, the VNFCs can be distributed across multiple compute nodes interconnected by network hosts forming the infrastructure network domain.

 

NFVI域的逻辑结构

Logical Structure of NFVI Domains

 

ISG NFV 标准文档列出了 NFVI 域及其互连的逻辑结构。该架构元素的实际实现细节将在开源和专有实现工作中不断发展。NFVI域逻辑结构为此类开发提供了框架,并标识了主要组件之间的接口,如图8.4所示。

The ISG NFV standards documents lay out the logical structure of the NFVI domains and their interconnections. The specifics of the actual implementation of the elements of this architecture will evolve in both open source and proprietary implementation efforts. The NFVI domain logical structure provides a framework for such development and identifies the interfaces between the main components, as shown in Figure 8.4.

 
图像

图 8.4 NFVI 域的逻辑结构

FIGURE 8.4 Logical Structure of NFVI Domains

 

计算域

Compute Domain

 

典型计算域中的主要元素可能包括以下内容:

The principal elements in a typical compute domain may include the following:

 

图像 CPU/内存: COTS 处理器,带有主内存,用于执行 VNFC 的代码。

CPU/memory: A COTS processor, with main memory, that executes the code of the VNFC.

 

图像 内部存储:与处理器位于同一物理结构中的非易失性存储,例如闪存。

Internal storage: Nonvolatile storage housed in the same physical structure as the processor, such as flash memory.

 

图像 加速器:还可以包括用于安全、网络和数据包处理的加速器功能。

Accelerator: Accelerator functions for security, networking, and packet processing may also be included.

 

图像 带存储控制器的外部存储:访问辅助存储设备。

External storage with storage controller: Access to secondary memory devices.

 

图像 网络接口卡(NIC)提供与基础设施网络域的物理互连,标记为Ha/CSr-Ha/Nr,对应于图8.2

Network interface card (NIC): Provides the physical interconnection with the infrastructure network domain, which is labeled Ha/CSr-Ha/Nr and corresponds to interface 14 of Figure 8.2.

 

图像 控制和管理代理:连接到虚拟化基础设施管理器(VIM);请参见第 7 章网络功能虚拟化:概念和架构”中的图 7.8 。

Control and admin agent: Connects to the virtualized infrastructure manager (VIM); see Figure 7.8 in Chapter 7, “Network Functions Virtualization: Concepts and Architecture.”

 

图像 Eswitch:服务器嵌入式交换机。下一节中描述的 eswitch 功能是在计算域中实现的。然而,从功能上来说,它构成了基础设施网络领域的一个组成部分。

Eswitch: Server embedded switch. The eswitch function, described in the following section, is implemented in the compute domain. However, functionally it forms an integral part of the infrastructure network domain.

 

图像 计算/存储执行环境:这是由服务器或存储设备呈现给管理程序软件的执行环境([VI-Ha]/CSr,图8.2的接口12 )。

Compute/storage execution environment: This is the execution environment presented to the hypervisor software by the server or storage device ([VI-Ha]/CSr, interface 12 of Figure 8.2).

 
电子开关
 

要了解 eswitch 的功能,首先请注意,一般来说,VNF 处理两种不同类型的工作负载:

To understand the functionality of the eswitch, first note that, broadly speaking, VNFs deal with two different kinds of workloads:

 

图像 控制平面工作负载:与信令和控制平面协议(例如 BGP)有关。通常,这些工作负载更多的是处理器密集型而不是 I/O 密集型,并且不会给 I/O 系统带来重大负担。

Control plane workloads: Concerned with signaling and control plane protocols such as BGP. Typically, these workloads are more processor rather than I/O intensive and do not place a significant burden on the I/O system.

 

图像 数据平面工作负载:涉及网络流量有效负载的路由、交换、中继或处理。此类工作负载可能需要高 I/O 吞吐量。

Data plane workloads: Concerned with the routing, switching, relaying or processing of network traffic payloads. Such workloads can require high I/O throughput.

 

在 NFV 等虚拟化环境中,所有 VNF 网络流量都将通过虚拟机管理程序域中的虚拟交换机,该交换机调用虚拟化 VNF 软件和主机网络硬件之间的软件层。这可以创造一个重大的性能惩罚。eswitch 的目的是绕过虚拟化软件,并为 VNF 提供到 NIC 的直接内存访问 (DMA) 路径。eswitch 方法可加速数据包处理,而无需任何处理器开销。

In a virtualized environment such as NFV, all VNF network traffic would go through a virtual switch in the hypervisor domain, which invokes a layer of software between virtualized VNF software and host networking hardware. This can create a significant performance penalty. The purpose of the eswitch is to bypass the virtualization software and provide the VNF with a direct memory access (DMA) path to the NIC. The eswitch approach accelerates packet processing without any processor overhead.

 
使用计算域节点的 NFVI 实施
 

如图8.3所示,VNF 由一个或多个逻辑连接的 VNFC 组成。VNFC 作为软件在虚拟机管理程序域容器上运行,而虚拟机管理程序域容器又在计算域中的硬件上运行。尽管虚拟链路和网络是通过基础设施网络域定义的,但VNF级别的网络功能的实际实现由计算域节点上的软件组成。IND 与计算域接口,而不是直接与管理程序域或 VNF 接口。同样,后一点如图 8.3所示。

As suggested by Figure 8.3, a VNF consists of one or more logically connected VNFCs. The VNFCs run as software on hypervisor domain containers that in turn run on hardware in the compute domain. Although virtual links and networks are defined through the infrastructure network domain, the actual implementation of network functions at the VNF level consists of software on compute domain nodes. The IND interfaces with the compute domain and not directly with the hypervisor domain or the VNFs. Again, this latter point is illustrated in Figure 8.3.

 

在继续之前,我们需要定义术语“节点”,该术语在 ISG NFV 文档中经常使用。这些文档将NFVI 节点定义为作为单个实体部署和管理的物理设备的集合,提供支持 VNF 执行环境所需的 NFVI 功能。NFVI节点位于计算域中,包含以下类型的计算域节点:

Before proceeding, we need to define the term node, which is used often in the ISG NFV documents. The documents define an NFVI-Node as collection of physical devices deployed and managed as a single entity, providing the NFVI functions required to support the execution environment for VNFs. NFVI nodes are in the compute domain and encompass the following types of compute domain nodes:

 

图像 计算节点:能够执行通用计算指令集(每条指令都是完全原子的和确定性的)的功能实体,无论具体状态如何,执行周期时间都是单位到数十纳秒的量级是循环执行所必需的。实际上,这根据内存访问时间定义了计算节点。分布式系统无法满足此要求,因为访问远程内存中存储的状态所需的时间无法满足此要求。

Compute node: A functional entity which is capable of executing a generic computational instruction set (each instruction be being fully atomic and deterministic) in such a way that the execution cycle time is of the order of units to tens of nanoseconds irrespective of what specific state is required for cycle execution. In practical terms, this defines a compute node in terms of memory access time. A distributed system cannot meet this requirement as the time taken to access state stored in remote memory cannot meet this requirement.

 

图像 网关节点: NFVI 节点内实现网关功能的单个可识别、可寻址和可管理的元素。网关功能提供 NFVI-PoP 和传输网络之间的互连。它们还将虚拟网络连接到现有的网络组件。网关可以处理在不同网络之间传输的数据包,例如删除标头和添加标头。网关可以在传输层操作,处理IP和数据链路分组,或者在应用层操作。

Gateway node: A single identifiable, addressable, and manageable element within an NFVI-Node that implements gateway functions. Gateway functions provide the interconnection between NFVI-PoPs and the transport networks. They also connect virtual networks to existing network components. A gateway may process packets going between different networks, such as removing headers and adding headers. A gateway may operate at the transport level, dealing with IP and data-link packets, or at the application level.

 

图像 存储节点: NFVI 节点内的单个可识别、可寻址和可管理元素,使用计算、存储和网络功能提供存储资源。存储可以以多种方式物理地实现。例如,它可以被实现为计算节点内的组件。另一种方法是将独立于计算节点的存储节点实现为 NFVI 节点内的物理节点。这种存储节点的示例可以是通过远程存储技术(例如网络文件系统(NFS)和光纤通道)可访问的物理设备。

Storage node: A single identifiable, addressable, and manageable element within an NFVI-Node that provides storage resource using compute, storage, and networking functions. Storage may be physically implemented in a variety of ways. It could, for example be implemented as a component within a compute node. An alternative approach is to implement storage nodes independent of the compute nodes as physical nodes within the NFVI-Node. An example of such a storage node may be a physical device accessible via a remote storage technology, such as Network File System (NFS) and Fibre Channel.

 

图像 网络节点: NFVI 节点内的单个可识别、可寻址和可管理的元素,使用计算、存储和网络转发功能提供网络(交换/路由)资源。

Network node: A single identifiable, addressable, and manageable element within an NFVI-Node that provides networking (switching/routing) resources using compute, storage, and network forwarding functions.

 

NFVI 节点内的计算域通常会部署为多个互连的物理设备。物理计算域节点可以包括多个物理资源,例如多核处理器、存储器子系统和NIC。这些节点的一组互连组成一个 NFVI 节点,并构成一个 NFVI 存在点 (NFVI-PoP)。NFV 提供商可能在分布式位置维护多个 NFVI-PoP,为各种用户提供服务,每个用户都可以在不同 NFVI-PoP 位置的计算域节点上实施其 VNF 软件。

A compute domain within an NFVI node will often be deployed as a number of interconnected physical devices. Physical compute domain nodes may include a number of physical resources, such as a multicore processor, memory subsystems, and NICs. An interconnected set of these nodes comprise one NFVI-Node and constitutes one NFVI point of presence (NFVI-PoP). An NFV provider might maintain a number of NFVI-PoPs at distributed locations, providing service to a variety of users, each of whom could implement their VNF software on compute domain nodes at various NFVI-PoP locations.

 

表 8.2列出了 ISG NFV 计算域文档中建议的一些部署场景。这些场景包括以下内容:

Table 8.2 lists some deployment scenarios suggested in the ISG NFV Compute Domain document. The scenarios include the following:

 
图像

表 8.2一些现实的部署场景

TABLE 8.2 Some Realistic Deployment Scenarios

 

图像 单一运营商:一个组织拥有并托管硬件设备,并部署和运营 VNF 及其运行的虚拟机管理程序。私有云或数据中心是此部署模型的示例。

Monolithic operator: One organization owns and houses the hardware equipment and deploys and operates the VNFs and the hypervisors they run on. A private cloud or a data center are examples of this deployment model.

 

图像 网络运营商托管虚拟网络运营商:基于整体运营商场景,此外,整体运营商在同一设施内托管其他虚拟网络运营商。混合云就是这种部署模型的一个示例。

Network operator hosting virtual network operators: Based on the monolithic operator scenario, with the addition that the monolithic operator host other virtual network operators within the same facility. A hybrid cloud is an example of this deployment model.

 

图像 托管网络运营商: IT 服务组织(例如 HP、Fujitsu)运营计算硬件、基础设施网络和虚拟机管理程序,而单独的网络运营商(例如 BT、Verizon)则在这些虚拟机管理程序上运行 VNF。这些内容由 IT 服务组织进行物理保护。

Hosted network operator: An IT services organization (for example, HP, Fujitsu) operates the compute hardware, infrastructure network, and hypervisors on which a separate network operator (for example, BT, Verizon) runs VNFs. These are physically secured by the IT services organization.

 

图像 托管通信提供商:与托管网络运营商场景类似,但在这种情况下托管多个通信提供商。社区云就是这种部署模型的一个示例。

Hosted communications providers: Similar to the hosted network operator scenario, but in this case multiple communications providers are hosted. A community cloud is an example of this deployment model.

 

图像 托管通信和应用程序提供商:与之前的场景类似。除了主机网络和通信提供商之外,数据中心设施中的服务器也向公众提供用于部署虚拟化应用程序。公共云是此部署模型的一个示例。

Hosted communications and application providers: Similar to the previous scenario. In addition to host network and communications providers, servers in a data center facility are offered to the public for deploying virtualized applications. A public cloud is an example of this deployment model.

 

图像 客户端托管网络服务:类似于整体运营商场景。在这种情况下,NFV 提供商的设备位于客户的场所。此模型的一个示例是住宅或企业位置的远程管理网关。另一个例子是远程管理的网络设备,例如防火墙或虚拟专用网络网关。

Managed network service on customer premises: Similar to the monolithic operator scenario. In this case, the NFV provider’s equipment is housed on the customer’s premises. One example of this model is a remotely managed gateway in a residential or enterprise location. Another example is remotely managed networking equipment such as firewalls or virtual private network gateways.

 

图像 客户设备上的托管网络服务:类似于整体运营商场景。在这种情况下,设备安装在客户场所的客户设备上。此场景可用于管理企业网络。私有云也可以以这种方式部署。

Managed network service on customer equipment: Similar to the monolithic operator scenario. In this case, the equipment is housed on the customer’s premises on customer equipment. This scenario could be used for managing an enterprise network. A private cloud could also be deployed in this fashion.

 

笔记

 

不同的字母代表不同的公司或组织,并被选择来代表不同的角色(例如,H = 托管提供商、N = 网络运营商、P = 公共、C = 客户)。编号的网络运营商(N1、N2 等)代表多个单独的托管网络运营商。

 


Note

 

The different letters represent different companies or organizations, and are chosen to represent different roles (for example, H = hosting provider, N = network operator, P = public, C = customer). The numbered network operators (N1, N2, and so on) represent multiple individual hosted network operators.

 

 

请参阅有关美国国家标准与技术研究院 (NIST) 云计算模型的讨论,了解前面列表中引用的四种云类型的定义。

See the discussion on the National Institute of Standards and Technology (NIST) cloud computing models for a definition of the four cloud types referenced in the preceding list.

 

图像 请参阅第 13 章云计算

See Chapter 13, “Cloud Computing

 

管理程序域

Hypervisor Domain

 

虚拟机管理程序域是一个软件环境,用于抽象硬件并实现服务,例如启动 VM、终止 VM、执行策略、扩展、实时迁移和高可用性。虚拟机管理程序域中的主要元素如下:

The hypervisor domain is a software environment that abstracts hardware and implements services, such as starting a VM, terminating a VM, acting on policies, scaling, live migration, and high availability. The principal elements in the hypervisor domain are the following:

 

图像 计算/存储资源共享/管理:管理这些资源并为VM提供虚拟化资源访问。

Compute/storage resource sharing/management: Manages these resources and provides virtualized resource access for VMs.

 

图像 网络资源共享/管理:管理这些资源并为虚拟机提供虚拟化资源访问。

Network resource sharing/management: Manages these resources and provides virtualized resource access for VMs.

 

图像 虚拟机管理和API:这提供了单个VNFC实例的执行环境([Vn-Nf]/VM,图8.2的接口7 )。

Virtual machine management and API: This provides the execution environment of a single VNFC instance ([Vn-Nf]/VM, interface 7 of Figure 8.2).

 

图像 控制和管理代理:连接到虚拟化基础设施管理器(VIM);见图7.8

Control and admin agent: Connects to the virtualized infrastructure manager (VIM); see Figure 7.8.

 

图像 Vswitch: vswitch 功能(将在下一段中描述)是在虚拟机管理程序域中实现的。然而,从功能上来说,它构成了基础设施网络领域的一个组成部分。

Vswitch: The vswitch function, described in the next paragraph, is implemented in the hypervisor domain. However, functionally it forms an integral part of the infrastructure network domain.

 

vswitch 是由 hypervisor 实现的以太网交换机,用于将虚拟机的虚拟网卡相互互连以及与计算节点的网卡互连。如果两个 VNF 位于同一台物理服务器上,它们将通过同一 vswitch 连接。如果两个 VNF 位于不同的服务器上,则连接将通过第一个 vswitch 到达 NIC,然后到达外部交换机。此交换机将连接转发到所需服务器的 NIC。最后,该 NIC 将其转发到其内部 vswitch,然后转发到目标 VNF。

The vswitch is an Ethernet switch implemented by the hypervisor that interconnects virtual NICs of VMs with each other and with the NIC of the compute node. If two VNFs are on the same physical server, they would be connected through the same vswitch. If two VNFs are on different servers, the connection passes through the first vswitch to the NIC and then to an external switch. This switch forwards the connection to the NIC of the desired server. Finally, this NIC forwards it to its internal vswitch and then to the destination VNF.

 

基础设施网络域

Infrastructure Network Domain

 

基础设施网络域 (IND) 发挥着多种作用。它提供

The infrastructure network domain (IND) performs a number of roles. It provides

 

图像分布式VNF的VNFC之间的通信通道

The communication channel between the VNFCs of a distributed VNF

 

图像不同VNF之间的通信通道

The communications channel between different VNFs

 

图像VNF 之间的通信通道及其编排和管理

The communication channel between VNFs and their orchestration and management

 

图像NFVI 组件之间的通信通道及其编排和管理

The communication channel between components of the NFVI and their orchestration and management

 

图像VNFC远程部署方式

The means of remote deployment of VNFCs

 

图像与现有运营商网络的互联方式

The means of interconnection with the existing carrier network

 

图 8.2说明了为 IND 定义的关键参考点。如前所述,Ha/CSr-Ha/Nr 定义了 IND 与计算域的服务器/存储之间的接口,将计算域中的 NIC 连接到基础设施网络域中的网络资源。Ex-Nf 是任何现有/非虚拟化网络之间的参考点(图 8.2的接口 13 )。参考点 [VI-HA]/Nr 为IND的硬件网络资源与虚拟化层之间的接口。虚拟化层为虚拟网络实体提供容器接口。[Vn-Nf]/N参考点(图8.2中的接口7 )是用于承载VNFC实例之间的通信的虚拟网络(VN)容器接口(例如,链路或LAN)。请注意,单个 VN 可以支持多个 VNFC 实例对(例如 LAN)之间的通信。

Figure 8.2 illustrates key reference points defined for the IND. As already mentioned, Ha/CSr-Ha/Nr defines the interface between the IND and the servers/storage of the compute domain, connecting the NIC in the compute domain to a network resource in the infrastructure network domain. Ex-Nf is the reference point between any existing/nonvirtualized network (interface 13 of Figure 8.2). Reference point [VI-HA]/Nr is the interface between the hardware network resources of the IND and the virtualization layer. The virtualization layer provides container interfaces for virtual network entities. The [Vn-Nf]/N reference point (interface 7 of Figure 8.2) is the virtual network (VN) container interface (for example, a link or a LAN) for carrying communication between VNFC instances. Note that a single VN can support communication between more than a single pairing of VNFC instances (for example, a LAN).

 

管理程序域提供的虚拟化功能与基础设施网络域提供的虚拟化功能之间存在重要区别。虚拟机管理程序域中的虚拟化使用 VM 技术为各个 VNFC 创建执行环境。IND 中的虚拟化创建了虚拟网络,用于将 VNFC 相互互连以及与 NFV 生态系统外部的网络节点互连。后面这些类型的节点称为物理网络功能 (PNF)。

There is an important distinction to be made between the virtualization function provided by the hypervisor domain and that provided by the infrastructure network domain. Virtualization in the hypervisor domain uses VM technology to create an execution environment for individual VNFCs. Virtualization in IND creates virtual networks for interconnecting VNFCs with each other and with network nodes outside the NFV ecosystem. These latter types of nodes are called physical network functions (PNFs).

 
虚拟网络
 

在继续之前,我们需要澄清术语“虚拟网络”用于 ISG NFV 文档中。一般来说,虚拟网络是某些上层软件层所看到的物理网络资源的抽象。虚拟网络技术使网络提供商能够支持多个彼此隔离的虚拟网络。单个虚拟网络的用户不知道底层物理网络或共享物理网络资源的其他虚拟网络流量的详细信息。创建虚拟网络的两种常见方法是(1)基于协议的方法,根据协议标头中的字段定义虚拟网络;(2)基于虚拟机的方法,其中网络由管理程序在一组 VM 之间创建。NFVI网络虚拟化结合了这两种形式。

Before proceeding, we need to clarify how the term virtual network is used in the ISG NFV documents. In general terms, a virtual network is an abstraction of physical network resources as seen by some upper software layer. Virtual network technology enables a network provider to support multiple virtual networks that are isolated from one another. Users of a single virtual network are not aware of the details of the underlying physical network or of the other virtual network traffic sharing the physical network resources. Two common approaches for creating virtual networks are (1) protocol-based methods that define virtual networks based on fields in protocol headers, and (2) virtual-machine-based methods, in which networks are created among a set of VMs by the hypervisor. The NFVI network virtualization combines both these forms.

 
L2 与 L3 虚拟网络
 

基于协议的虚拟网络可以根据是否在协议第 2 层 (L2)(通常是 LAN 媒体访问控制 (MAC) 层)或第 3 层 (L3)(通常是 Internet 协议 (IP) 层)定义来进行分类。对于 L2 VN,虚拟 LAN 由 MAC 标头中的字段来标识,例如 MAC 地址或插入标头中的虚拟 LAN ID 字段。因此,例如,在数据中心内,连接到单个以太网交换机的所有服务器和终端系统都可以支持连接设备之间的虚拟 LAN。现在假设有IP路由器连接数据中心的各网段,如图8.5所示。通常,IP 路由器会在将数据包转发到下一个网络时剥离传入以太网帧的 MAC 标头并插入新的 MAC 标头。仅当路由器具有支持 L2 VN 的附加功能(例如能够在传出 MAC 帧中重新插入虚拟 LAN ID 字段)时,L2 VN 才能跨该路由器进行扩展。相似地,如果企业有两个数据中心,通过路由器和专线连接,则路由器需要L2 VN能力来扩展VN。

Protocol-based virtual networks can be classified by whether they are defined at protocol Layer 2 (L2), which is typically the LAN media access control (MAC) layer, or Layer 3 (L3), which is typically the Internet Protocol (IP). With an L2 VN, a virtual LAN is identified by a field in the MAC header, such as the MAC address or a virtual LAN ID field inserted into the header. So, for example, within a data center, all the servers and end systems connected to a single Ethernet switch could support virtual LANs among the connected devices. Now suppose there are IP routers connecting segments of the data center, as illustrated in Figure 8.5. Normally, an IP router will strip off the MAC header of incoming Ethernet frames and insert a new MAC header when forwarding the packet to the next network. The L2 VN could be extended across this router only if the router had additional capability to support the L2 VN, such as being able to reinsert the virtual LAN ID field in the outgoing MAC frame. Similarly, if an enterprise had two data centers connected by a router and a dedicated line, that router would need the L2 VN capability to extend a VN.

 
图像

图 8.5网络虚拟化的级别

FIGURE 8.5 Levels of Network Virtualization

 

L3 VN 使用 IP 标头中的一个或多个字段。一个很好的例子是使用 IPsec 定义的虚拟专用网络 (VPN)。在 VPN 上传输的数据包被封装在新的外部 IP 标头中,并对数据进行加密,以便 VPN 流量在传输第三方网络(例如 Internet)时得到隔离和保护。

An L3 VN makes use of one or more fields in the IP header. A good example of this is the virtual private network (VPN) defined using IPsec. Packets traveling on a VPN are encapsulated in a new outer IP header and the data are encrypted so that VPN traffic is isolated and protected as it transits third-party network such as the Internet.

 

第 9 章网络虚拟化”更详细地介绍了虚拟 LAN 和 VPN。

Chapter 9, “Network Virtualization,” covers virtual LANs and VPNs in more detail.

 
NFVI 虚拟网络替代方案
 

ISG NFV 将虚拟网络定义为一种网络构造,为 NFVI 上托管的一个或多个 VNF 提供网络连接。因此,目前尚未解决延伸到 NFV 基础设施之外的虚拟网络的概念。在NFV中,虚拟网络是VNF之间的网络。

ISG NFV defines a virtual network as the network construct that provides network connectivity to one or more VNFs that are hosted on the NFVI. Therefore, the concept of a virtual network that extends beyond the NFV infrastructure is not currently addressed. In NFV, a virtual network is a network among VNFs.

 

Network Domain 文档指出,设想了三种方法来提供虚拟网络服务:

The Network Domain document indicates that three approaches are envisioned for providing a virtual network service:

 

图像基于基础设施的虚拟网络

Infrastructure-based VNs

 

图像使用虚拟覆盖的分层 VN

Layered VNs using virtual overlays

 

图像使用虚拟分区的分层 VN

Layered VNs using virtual partitioning

 

设施可以使用这些方法中的一种或组合。

A facility can use one or a combination of these approaches.

 

基于基础设施的 VN使用 NFVI 计算和网络组件的本机网络功能。地址空间经过分区,以便 VN 中的 VNF 成员资格由 IP 地址定义。IND 文档给出了以下基于 L3 基础设施的 VN 的示例:

The infrastructure-Based VN uses the native networking functions of the NFVI compute and networking components. The address space is partitioned so that VNF membership in a VN is defined by IP address. The IND document gives the following example of an L3 infrastructure-based VN:

 

图像每个 VNF 都分配有自己唯一的 IP 地址,该地址不与 NFVI 内元素的任何其他地址重叠。

Each VNF is assigned its own unique IP address that does not overlap with any other address of elements within the NFVI.

 

图像通过管理每个计算节点中 L3 转发功能中的访问控制列表,可以实现将 VNF 逻辑分区为其 VN。

Logical partitioning of the VNFs into their VNs is achieved by managing access control lists in the L3 forwarding function in each compute node.

 

图像然后,VNF 和物理结构之间的 L3 转发可以由在托管计算节点上运行的 L3 转发信息库来处理。

The L3 forwarding between VNFs and the physical fabric can then be handled by the L3 forwarding information base running on the hosting compute node.

 

图像控制平面解决方案(例如边界网关协议 (BGP))可用于向其他计算主机通告 VNF 的可达性。

Control plane solutions, such as Border Gateway Protocol (BGP), can be used to advertise reachability of the VNFs to other compute hosts.

 

另外两种方法称为分层虚拟网络方法。这些方法允许重叠地址空间。也就是说,VNF可以使用相同的IP地址参与多个VN。IND 的虚拟化层本质上是使用虚拟覆盖或虚拟分区在底层 NFVI 网络结构上创建私有拓扑。

The other two approaches are referred to as layered virtual network approaches. These approaches allow overlapping address spaces. That is, a VNF may participate in more than one VN using the same IP address. The virtualization layer of the IND essentially creates private topologies on the underlying NFVI network fabric, using either virtual overlays or virtual partitioning.

 

虚拟覆盖VN使用覆盖网络的概念。本质上,覆盖网络是构建在另一个网络之上的逻辑网络。覆盖网络中的节点可以被认为是通过虚拟或逻辑链路连接的,每个链路对应于一条路径,可能通过底层网络中的许多物理链路。然而,覆盖网络不具备控制两个覆盖网络节点之间的路由的能力。在 NFV 环境中,覆盖网络是 VNF 使用的 VN,底层网络由基础设施网络资源组成。这些覆盖网络通常由具有双重人格的边缘节点创建,既参与虚拟网络的创建,又充当基础设施网络资源。相比之下,基础设施网络的核心节点只参与基础设施网络,没有覆盖感知。前面讨论的 L2 和 L3 虚拟网络就属于这一类。

The virtual overlay VN uses the concept of an overlay network. In essence, an overlay network is a logical network that is built on the top of another network. Nodes in the overlay network can be thought of as being connected by virtual or logical links, each of which corresponds to a path, perhaps through many physical links in the underlying network. However, overlay networks do not have the ability to control the routing between two overlay network nodes. In the NFV context, the overlay networks are the VNs used by the VNFs and the underlay network consists of the infrastructure network resources. These overlay networks are normally created by edge nodes which have a dual personality, participating in both the creation of the virtual networks and also acting as infrastructure network resources. In contrast, the core nodes of the infrastructure network only participate in the infrastructure network and have no overlay awareness. The L2 and L3 virtual networks discussed earlier fit into this category.

 

虚拟分区VN方法直接将VN(在本文中称为虚拟网络分区)以端到端的方式集成到基础设施网络中。基础设施的边缘节点和核心节点均构建离散虚拟拓扑每个虚拟网络的网络。这可以包括每个虚拟网络转发表、逻辑链路,甚至跨基础设施网络的端到端控制平面。

The virtual partitioning VN approach directly integrates VNs, called virtual network partitions in this context, into the infrastructure network on an end-to-end basis. Discrete virtual topologies are built in both the edge and core nodes of the infrastructure network for each virtual network. This can consist of per virtual network forwarding tables, logical links and even control planes on an end-to-end basis across the infrastructure network.

 

8.2 虚拟化网络功能

8.2 Virtualized Network Functions

 

VNF 是传统网络功能的虚拟化实现。表 8.3包含可以虚拟化的功能示例。

A VNF is a virtualized implementation of a traditional network function. Table 8.3 contains examples of functions that could be virtualized.

 
图像

表 8.3需要虚拟化的潜在网络功能

TABLE 8.3 Potential Network Functions to Be Virtualized

 

VNF接口

VNF Interfaces

 

如前所述,VNF 由一个或多个 VNF 组件 (VNFC) 组成。单个 VNF 的 VNFC 在 VNF 内部连接。此内部结构对其他 VNF 或 VNF 用户不可见。

As discussed earlier, a VNF consists of one or more VNF components (VNFCs). The VNFCs of a single VNF are connected internal to the VNF. This internal structure is not visible to other VNFs or to the VNF user.

 

图 8.6显示了与 VNF 讨论相关的接口,如下表所述。

Figure 8.6 shows the interfaces relevant to a discussion of VNFs as described in the list that follows.

 
图像

图 8.6 VNF 功能视图

FIGURE 8.6 VNF Functional View

 

图像 SWA-1:此接口支持 VNF 与其他 VNF、PNF 和端点之间的通信。请注意,该接口针对的是整个 VNF,而不是针对各个 VNFC。SWA-1 接口是主要利用 SWA-5 接口上可用的网络连接服务的逻辑接口。

SWA-1: This interface enables communication between a VNF and other VNFs, PNFs, and endpoints. Note that the interface is to the VNF as a whole and not to individual VNFCs. SWA-1 interfaces are logical interfaces that primarily make use of the network connectivity services available at the SWA-5 interface.

 

图像 SWA-2:此接口支持 VNF 内的 VNFC 之间的通信。该接口是供应商特定的,因此不是标准化的主题。该接口还可以利用 SWA-5 接口上可用的网络连接服务。但是,如果 VNF 中的两个 VNFC 部署在同一主机上,则可以使用其他技术来最小化延迟并提高吞吐量,如下所述。

SWA-2: This interface enables communications between VNFCs within a VNF. This interface is vendor specific and therefore not a subject for standardization. This interface may also make use of the network connectivity services available at the SWA-5 interface. However, if two VNFCs within a VNF are deployed on the same host, other technologies may be used to minimize latency and enhance throughput, as described below.

 

图像 SWA-3:这是 NFV 管理和编排模块内 VNF 管理器的接口。VNF 管理器负责生命周期管理(创建、扩展、终止等)。该接口通常被实现为使用IP的网络连接。

SWA-3: This is the interface to the VNF manager within the NFV management and orchestration module. The VNF manager is responsible for lifecycle management (creation, scaling, termination, and so on). The interface typically is implemented as a network connection using IP.

 

图像 SWA-4:这是元素管理器对 VNF 进行运行时管理的接口。

SWA-4: This is the interface for runtime management of the VNF by the element manager.

 

图像 SWA-5:此接口描述 VNF 可部署实例的执行环境。每个 VNFC 映射到虚拟机的虚拟化容器接口。

SWA-5: This interface describes the execution environment for a deployable instance of a VNF. Each VNFC maps to a virtualized container interface to a VM.

 

VNFC 到 VNFC 通信

VNFC to VNFC Communication

 

前面提到,一个VNF的内部结构,对于多个VNFC而言,是不对外暴露的。VNF 在其支持的网络中显示为单个功能系统。但是,同一 VNF 内的 VNFC 之间或跨同一位置的 VNF 之间的内部连接需要由 VNF 提供商指定、由 NFVI 支持并由 VNF 管理器管理。VNF 架构文档描述了许多架构设计模型,旨在提供所需的性能和服务质量 (QoS),例如对存储或计算资源的访问。这些设计模型中最重要的模型之一与 VNFC 之间的通信有关。

As mentioned earlier, the internal structure of a VNF, in terms of multiple VNFCs, is not exposed externally. The VNF appears as a single functional system in the network it supports. However, internal connectivity between VNFCs within the same VNF or across co-located VNFs needs to be specified by the VNF provider, supported by the NFVI, and managed by the VNF manager. The VNF Architecture document describes a number of architecture design models that are intended to provide desired performance and quality of service (QoS), such as access to storage or compute resources. One of the most important of these design models relates to communication between VNFCs.

 

图 8.7来自 ETSI VNF 架构文档,说明了使用不同网络技术支持 VNFC 之间通信的六种场景:

Figure 8.7, from the ETSI VNF Architecture document, illustrates six scenarios using different network technologies to support communication between VNFCs:

 
图像

图 8.7 VNFC 到 VNFC 通信

FIGURE 8.7 VNFC to VNFC Communication

 

1.通过硬件交换机进行通信。在这种情况下,支持VNFC的虚拟机绕过虚拟机管理程序直接访问物理网卡。这为不同物理主机上的 VNFC 提供了增强的性能。

1. Communication through a hardware switch. In this case, the VMs supporting the VNFCs bypass the hypervisor to directly access the physical NIC. This provides enhanced performance for VNFCs on different physical hosts.

 

2.通过hypervisor中的vswitch进行通信。这是共置 VNFC 之间通信的基本方法,但不提供某些 VNF 可能所需的 QoS 或性能。

2. Communication through the vswitch in the hypervisor. This is the basic method of communication between co-located VNFCs but does not provide the QoS or performance that may be required for some VNFs.

 

3.通过使用与所使用的CPU兼容的适当的数据处理加速库和驱动程序,可以实现更高的性能。该库是从 vswitch 调用的。合适的商业产品的一个例子是数据平面开发套件(DPDK),它是一组数据平面库和网络接口控制器驱动程序,用于在英特尔架构平台上进行快速数据包处理。场景 3 假设使用类型 1 虚拟机管理程序(参见图 7.3)。

3. Greater performance can be achieved by using appropriate data processing acceleration libraries and drivers compatible with the CPU being used. The library is called from the vswitch. An example of a suitable commercial product is the Data Plane Development Kit (DPDK), which is a set of data plane libraries and network interface controller drivers for fast packet processing on Intel architecture platforms. Scenario 3 assumes a Type 1 hypervisor (see Figure 7.3).

 

4.通过部署在具有单根 I/O 虚拟化 (SR-IOV) 的 NIC 中的嵌入式交换机 (eswitch) 进行通信。SR-IOV 是一种 PCI-SIG 规范,定义了一种将设备拆分为多个 PCI Express 请求者 ID(虚拟功能)的方法,其方式允许 I/O 内存管理单元 (MMU) 区分不同的流量流并应用内存并中断转换,以便这些流量可以直接传送到适当的虚拟机,并防止非特权流量影响其他虚拟机。

4. Communication through an embedded switch (eswitch) deployed in the NIC with Single Root I/O Virtualization (SR-IOV). SR-IOV is a PCI-SIG specification that defines a method to split a device into multiple PCI express requester IDs (virtual functions) in a fashion that allows an I/O memory management unit (MMU) to distinguish different traffic streams and apply memory and interrupt translations so that these traffic streams can be delivered directly to the appropriate VM, and in a way that prevents nonprivileged traffic flows from impacting other VMs.

 

5.使用 SR-IOV 部署在 NIC 硬件中的嵌入式交换机,并在 VNFC 中部署数据平面加速软件。

5. Embedded switch deployed in the NIC hardware with SR-IOV, and with data plane acceleration software deployed in the VNFC.

 

6.串行总线直接连接两个具有极端工作负载或极低延迟要求的 VNFC。这本质上是一种 I/O 通道通信方式而不是 NIC 方式。

6. A serial bus connects directly two VNFCs that have extreme workloads or very low-latency requirements. This is essentially an I/O channel means of communication rather than a NIC means.

 

VNF 扩展

VNF Scaling

 

VNF 的一个重要属性被称为弹性,它简单地意味着扩展/缩小或扩展/缩小的能力。每个 VNF 都有一个与之关联的弹性参数,即无弹性、仅向上/向下扩展、仅向外/向下扩展、或同时向上/向下扩展和向外/向下扩展。

An important property of VNFs is referred to as elasticity, which simply means the ability to scale up/down or scale out/in. Every VNF has associated with it an elasticity parameter of no elasticity, scale up/down only, scale out/in only, or both scale up/down and scale out/in.

 

VNF 通过扩展其组成的一个或多个 VNFC 来扩展。横向扩展/横向扩展是通过添加/删除属于正在扩展的 VNF 的 VNFC 实例来实现的。向上/向下扩展是通过从属于正在扩展的 VNF 的现有 VNFC 实例添加/删除资源来实现的。

A VNF is scaled by scaling one or more of its constituent VNFCs. Scale out/in is implemented by adding/removing VNFC instances that belong to the VNF being scaled. Scale up/down is implemented by adding/removing resources from existing VNFC instances that belong to the VNF being scaled.

 

8.3 NFV 管理和编排1

8.3 NFV Management and Orchestration1

 

1本节中的一些材料基于 [ KHAN15 ]。

1 Some of the material in this section is based on [KHAN15].

 

NFV 的 NFV 管理和编排 (MANO) 组件的主要功能是 NFV 环境的管理和编排。这项任务本身就很复杂。使 MANO 功能更加复杂的是,它需要与现有的运营支持系统 (OSS) 和业务支持系统 (BSS) 进行互操作和协作,为网络环境由物理和虚拟元素混合组成的客户提供管理功能。

The NFV management and orchestration (MANO) component of NFV has as its primary function the management and orchestration of an NFV environment. This task, by itself, is complex. Further complicating MANO functionality is its need to interoperate with and cooperate with existing operations support systems (OSS) and business support systems (BSS) in providing management functionality for customers whose networking environment consists of a mixture of physical and virtual elements.

 

图8.8来自ETSI MANO文档,显示了NFV-MANO的基本结构及其关键接口。可以看出,有五个管理块:三个位于 NFV-MANO 内、与 VNF 关联的 EMS 以及 OSS/BSS。后两个块不是 MANO 的一部分,但会与 MANO 交换信息,以实现客户网络环境的整体管理。

Figure 8.8, from the ETSI MANO document, shows the basic structure of NFV-MANO and its key interfaces. As can be seen, there are five management blocks: three within NFV-MANO, EMS associated with VNFs, and OSS/BSS. These two latter blocks are not part of MANO but do exchange information with MANO for the purpose of the overall management of a customer’s networking environment.

 
图像

图 8.8带有参考点的 NFV-MANO 架构框架

FIGURE 8.8 The NFV-MANO Architectural Framework with Reference Points

 

虚拟化基础设施管理器

Virtualized Infrastructure Manager

 

虚拟化基础设施管理 (VIM) 包括用于控制和管理 VNF 与其权限下的计算、存储和网络资源及其虚拟化交互的功能。VIM 的单个实例负责控制和管理 NFVI 计算、存储和网络资源,通常位于一个运营商的基础设施域内。该域名可以包含 NFVI-PoP 内的所有资源、跨多个 NFVI-PoP 的资源或 NFVI-PoP 内的资源子集。为了处理整体网络环境,可能需要单个 MANO 内的多个 VIM。

Virtualized infrastructure management (VIM) comprises the functions that are used to control and manage the interaction of a VNF with computing, storage, and network resources under its authority, as well as their virtualization. A single instance of a VIM is responsible for controlling and managing the NFVI compute, storage, and network resources, usually within one operator’s infrastructure domain. This domain could consist of all resources within an NFVI-PoP, resources across multiple NFVI-PoPs, or a subset of resources within an NFVI-PoP. To deal with the overall networking environment, multiple VIMs within a single MANO may be needed.

 

VIM 执行以下操作:

A VIM performs the following:

 

图像 资源管理,负责

Resource management, in charge of the

 

图像专用于 NFV 基础设施的软件(例如管理程序)、计算、存储和网络资源清单。

Inventory of software (for example, hypervisors), computing, storage and network resources dedicated to NFV infrastructure.

 

图像虚拟化推动因素的分配,例如虚拟机管理程序、计算资源、存储和相关网络连接上的虚拟机

Allocation of virtualization enablers, for example, VMs onto hypervisors, compute resources, storage, and relevant network connectivity

 

图像基础设施资源管理和分配,例如增加虚拟机资源、提高能源效率、资源回收等

Management of infrastructure resource and allocation, for example, increase resources to VMs, improve energy efficiency, and resource reclamation

 

图像 操作,对于

Operations, for

 

图像NFV 基础设施的可见性和管理

Visibility into and management of the NFV infrastructure

 

图像从NFV基础设施角度分析性能问题的根本原因

Root cause analysis of performance issues from the NFV infrastructure perspective

 

图像基础设施故障信息采集

Collection of infrastructure fault information

 

图像收集信息以进行容量规划、监控和优化

Collection of information for capacity planning, monitoring, and optimization

 

虚拟网络功能管理器

Virtual Network Function Manager

 

VNF 管理器 (VNFM) 负责 VNF。可以部署多个VNFM;可以为每个VNF部署一个VNFM,或者一个VNFM可以为多个VNF服务。VNFM 执行的功能如下:

A VNF manager (VNFM) is responsible for VNFs. Multiple VNFMs may be deployed; a VNFM may be deployed for each VNF, or a VNFM may serve multiple VNFs. Among the functions that a VNFM performs are the following:

 

图像VNF 实例化,包括 VNF 配置(如果 VNF 部署模板需要)(例如,在完成 VNF 实例化操作之前使用 IP 地址进行 VNF 初始配置)

VNF instantiation, including VNF configuration if required by the VNF deployment template (for example, VNF initial configuration with IP addresses before completion of the VNF instantiation operation)

 

图像VNF 实例化可行性检查(如果需要)

VNF instantiation feasibility checking, if required

 

图像VNF实例软件更新/升级

VNF instance software update/upgrade

 

图像VNF实例修改

VNF instance modification

 

图像VNF 实例横向扩展/收缩和向上/向下扩展

VNF instance scaling out/in and up/down

 

图像与 VNF 实例相关的 NFVI 性能测量结果和故障/事件信息的收集,以及与 VNF 实例相关的事件/故障的关联

VNF instance-related collection of NFVI performance measurement results and faults/events information, and correlation to VNF instance-related events/faults

 

图像VNF 实例辅助或自动修复

VNF instance assisted or automated healing

 

图像VNF实例终止

VNF instance termination

 

图像VNF生命周期管理变更通知

VNF lifecycle management change notification

 

图像管理 VNF 实例整个生命周期的完整性

Management of the integrity of the VNF instance through its lifecycle

 

图像VIM 和 EM 之间的配置和事件报告的总体协调和适应作用

Overall coordination and adaptation role for configuration and event reporting between the VIM and the EM

 

NFV 协调器

NFV Orchestrator

 

NFV编排器(NFVO)负责资源编排和网络服务编排。

The NFV orchestrator (NFVO) is responsible for resource orchestration and network service orchestration.

 

资源编排对不同VIM管理下的资源进行管理和协调。NFVO 在不同 PoP 之间或一个 PoP 内协调、授权、释放和使用 NFVI 资源。这是通过直接通过北向 API 与 VIM 交互而不是直接与 NFVI 资源交互来实现的。

Resource orchestration manages and coordinates the resources under the management of different VIMs. NFVO coordinates, authorizes, releases and engages NFVI resources among different PoPs or within one PoP. This does so by engaging with the VIMs directly through their northbound APIs instead of engaging with the NFVI resources directly.

 

网络服务编排管理/协调涉及来自不同 VNFM 域的 VNF 的端到端服务的创建。服务编排通过以下方式实现这一点:

Network services orchestration manages/coordinates the creation of an end-to-end service that involves VNFs from different VNFMs domains. Service orchestration does this in the following way:

 

图像它在不同 VNF 之间创建端到端服务。它通过与各自的 VNFM 协调来实现这一点,因此它不需要直接与 VNF 对话。一个示例是在一个供应商的基站 VNF 和另一供应商的核心节点 VNF 之间创建服务。

It creates end-to-end service between different VNFs. It achieves this by coordinating with the respective VNFMs so that it does not need to talk to VNFs directly. An example is creating a service between the base station VNFs of one vendor and core node VNFs of another vendor.

 

图像如果适用,它可以实例化 VNFM。

It can instantiate VNFMs, where applicable.

 

图像它对网络服务实例(也称为 VNF 转发图)进行拓扑管理。

It does the topology management of the network services instances (also called VNF forwarding graphs).

 

存储库

Repositories

 

与 NFVO 相关的是管理和编排功能所需的四个信息存储库:

Associated with NFVO are four repositories of information needed for the management and orchestration functions:

 

图像 网络服务目录:可用网络服务的列表。网络服务的部署模板(根据 VNF 及其通过虚拟链路的连接描述)存储在 NS 目录中以供将来使用。

Network services catalog: List of the usable network services. A deployment template for a network service in terms of VNFs and description of their connectivity through virtual links is stored in NS catalog for future use.

 

图像 VNF 目录:所有可用 VNF 描述符的数据库。VNF 描述符 (VNFD) 描述了 VNF 的部署和操作行为要求。主要供VNFM在VNF过程中使用VNF 实例的实例化和生命周期管理。NFVO 还使用 VNFD 中提供的信息来管理和编排 NFVI 上的网络服务和虚拟化资源。

VNF catalog: Database of all usable VNF descriptors. A VNF descriptor (VNFD) describes a VNF in terms of its deployment and operational behavior requirements. It is primarily used by VNFM in the process of VNF instantiation and lifecycle management of a VNF instance. The information provided in the VNFD is also used by the NFVO to manage and orchestrate network services and virtualized resources on NFVI.

 

图像 NFV 实例:包含有关网络服务实例和相关 VNF 实例的详细信息的列表。

NFV instances: List containing details about network services instances and related VNF instances.

 

图像 NFVI 资源:用于建立 NFV 服务的 NFVI 资源列表。

NFVI resources: List of NFVI resources utilized for the purpose of establishing NFV services.

 

元素管理

Element Management

 

元素管理负责 VNF 的故障、配置、计费、性能和安全 (FCAPS) 管理功能。这些管理职能也是 VNFM 的职责。但与 VNFM 不同的是,EM 可以通过与 VNF 的专有接口来实现这一点。然而,EM需要确保它通过开放参考点(VeEm-Vnfm)与VNFM交换信息。EM 可能了解虚拟化并与 VNFM 协作来执行需要交换有关与 VNF 关联的 NFVI 资源的信息的功能。EM 功能包括以下内容:

The element management is responsible for fault, configuration, accounting, performance, and security (FCAPS) management functionality for a VNF. These management functions are also the responsibility of the VNFM. But EM can do it through a proprietary interface with the VNF in contrast to VNFM. However, EM needs to make sure that it exchanges information with VNFM through open reference point (VeEm-Vnfm). The EM may be aware of virtualization and collaborate with VNFM to perform those functions that require exchange of information regarding the NFVI resources associated with VNF. EM functions include the following:

 

图像VNF提供的网络功能配置

Configuration for the network functions provided by the VNF

 

图像VNF提供的网络功能的故障管理

Fault management for the network functions provided by the VNF

 

图像统计VNF功能的使用情况

Accounting for the usage of VNF functions

 

图像收集VNF提供的功能的性能测量结果

Collecting performance measurement results for the functions provided by the VNF

 

图像VNF功能的安全管理

Security management for the VNF functions

 

开放源码软件/BSS

OSS/BSS

 

OSS/BSS是运营商的其他操作和业务支持功能的组合,这些功能在当前架构框架中没有明确捕获,但预计与NFV-MANO架构框架中的功能块进行信息交换。OSS/BSS功能可以提供遗留系统的管理和编排,并且可以具有运营商网络中的遗留网络功能所提供的服务的完全端到端可见性。

The OSS/BSS are the combination of the operator’s other operations and business support functions that are not otherwise explicitly captured in the present architectural framework, but are expected to have information exchanges with functional blocks in the NFV-MANO architectural framework. OSS/BSS functions may provide management and orchestration of legacy systems and may have full end-to-end visibility of services provided by legacy network functions in an operator’s network.

 

原则上,可以扩展现有 OSS/BSS 的功能来直接管理 VNF 和 NFVI,但这可能是供应商的专有实现。由于 NFV 是一个开放平台,因此通过开放接口(如 MANO 中的接口)管理 NFV 实体更有意义。然而,现有的 OSS/BBS 可以通过提供附加功能来为 NFV MANO 增加价值(如果它们不具备)由 NFV MANO 的特定实现支持。这是通过 NFV MANO 和现有 OSS/BSS 之间的开放参考点 (Os-Ma) 来完成的。

In principle, it would be possible to extend the functionalities of existing OSS/BSS to manage VNFs and NFVI directly, but that may be a proprietary implementation of a vendor. Because NFV is an open platform, managing NFV entities through open interfaces (as that in MANO) makes more sense. The existing OSS/BBS, however, can add value to the NFV MANO by offering additional functions if they are not supported by a certain implementation of NFV MANO. This is done through an open reference point (Os-Ma) between NFV MANO and existing OSS/BSS.

 

8.4 NFV 用例

8.4 NFV Use Cases

 

ISG NFV 开发了一组具有代表性的服务模型和可由 NFV 解决的高级用例。这些用例旨在推动网络范围内实施的标准和产品的进一步开发。用例文档确定并描述了第一组服务模型和高级用例,在 NFV ISG 成员公司看来,它们代表了 NFV 的重要服务模型和初始应用领域,并且涵盖了技术挑战的范围正在由 NFV ISG 解决。

ISG NFV has developed a representative set of service models and high-level use cases that may be addressed by NFV. These use cases are intended to drive further development of standards and products for network-wide implementation. The Use Cases document identifies and describes a first set of service models and high-level use cases that represent, in the view of NFV ISG member companies, important service models and initial fields of application for NFV, and that span the scope of technical challenges being addressed by the NFV ISG.

 

目前有九个用例,可以分为架构用例和面向服务用例两类,如表8.4所示。

There are currently nine use cases, which can be divided into the categories of architectural use cases and service-oriented use cases, as described in Table 8.4.

 
图像

表 8.4 ETSI NFV 用例

TABLE 8.4 ETSI NFV Use Cases

 

建筑用例

Architectural Use Cases

 

四个架构用例侧重于提供基于 NFVI 架构的通用服务和应用程序。

The four architectural use cases focus on providing general-purpose services and applications based on the NFVI architecture.

 
NFVI 即服务
 

NFVIaaS 是服务提供商实施和部署 NFVI 的场景,NFVIaaS 提供商和其他网络服务提供商可使用该 NFVI 来支持 VNF。对于 NFVIaaS 提供商来说,该服务可实现规模经济。基础设施的规模可满足提供商自身部署 VNF 的需求以及可出售给其他提供商的额外容量。NFVIaaS 客户可以使用其他服务提供商的 NFVI 提供服务。NFVIaaS 客户可以灵活地快速部署 VNF,无论是用于新服务还是横向扩展现有服务。云计算提供商可能会发现这项服务特别有吸引力。

NFVIaaS is a scenario in which a service provider implements and deploys an NFVI that may be used to support VNFs both by the NFVIaaS provider and by other network service providers. For the NFVIaaS provider, this service provides for economies of scale. The infrastructure is sized to support the provider’s own needs for deploying VNFs and extra capacity that can be sold to other providers. The NFVIaaS customer can offer services using the NFVI of another service provider. The NFVIaaS customer has flexibility in rapidly deploying VNFs, either for new services or to scale out existing services. Cloud computing providers may find this service particularly attractive.

 

图 8.9提供了一个示例 [ ONF14 ]。服务提供商 X 提供虚拟化负载平衡服务。运营商 X 的一些客户需要在 X 不维护 NFVI 但服务提供商 Z 维护的位置提供负载平衡服务。NFVIaaS 为运营商 Z 提供了一种将 NFV 基础设施(计算机、网络、虚拟机管理程序等)租赁给服务提供商 X 的方法,从而使后者能够访问基础设施,否则获得这些基础设施的成本将高得令人望而却步。通过租赁,此类容量可以按需提供,并且可以根据需要进行扩展。

Figure 8.9 provides an example [ONF14]. Service provider X offers a virtualized load balancing service. Some of carrier X’s customers need load balancing services at locations where X does not maintain NFVI, but where service provider Z does. NFVIaaS offers a means for carrier Z to lease NFV infrastructure (computer, network, hypervisors, and so on) to service provider X, which gives the latter access to infrastructure that would otherwise be prohibitively expensive to obtain. Through leasing, such capacity is available on demand, and can be scaled as needed.

 
图像

图 8.9 NFVIaaS 示例

FIGURE 8.9 NFVIaaS Example

 
VNF 即服务
 

NFVIaaS 类似于基础设施即服务 (IaaS) 的云模型,而 VNFaaS 则对应于软件即服务 (SaaS) 的云模型。NFVIaaS 提供虚拟化基础设施,使网络服务提供商能够以比实施 NFVI 和 VNF 更低的成本和时间来开发和部署 VNF。通过 VNFaaS,提供商可以开发可用的 VNF现成的产品提供给客户。该模型非常适合虚拟化客户端设备,例如路由器和防火墙。

Whereas NFVIaaS is similar to the cloud model of Infrastructure as a Service (IaaS), VNFaaS corresponds to the cloud model of Software as a Service (SaaS). NFVIaaS provides the virtualization infrastructure to enable a network service provider to develop and deploy VNFs with reduced cost and time compared to implementing the NFVI and the VNFs. With VNFaaS, a provider develops VNFs that are then available off the shelf to customers. This model is well suited to virtualizing customer premises equipment such as routers and firewalls.

 
虚拟网络平台即服务
 

VNPaaS 类似于 NFVIaaS,其中包含 VNF 作为虚拟网络基础设施的组件。主要区别在于 VNPaaS 的可编程性和开发工具,允许订阅者创建和配置符合 ETSI NFV 的自定义 VNF,以扩充服务提供商提供的 VNF 目录。这允许所有第三方和自定义 VNF 通过 VNF FG 进行编排。

VNPaaS is similar to an NFVIaaS that includes VNFs as components of the virtual network infrastructure. The primary differences are the programmability and development tools of the VNPaaS that allow the subscriber to create and configure custom ETSI NFV-compliant VNFs to augment the catalog of VNFs offered by the service provider. This allows all the third-party and custom VNFs to be orchestrated via the VNF FG.

 
VNF 转发图
 

VNF FG 允许虚拟设备以灵活的方式链接在一起。这种技术称为服务链。例如,流量从一个端点传递到另一端点时可能会经过网络监控 VNF、负载平衡 VNF,最后经过防火墙 VNF。VNF FG 用例基于信息模型,该信息模型向服务提供商使用的适当管理/编排系统描述 VNF 和物理实体。该模型描述了实体的特征,包括每个 VNF 的 NFV 基础设施要求以及 VNF 之间以及 VNF 与 IaaS 服务中包含的物理网络之间所需的所有连接。为了确保端到端服务所需的性能和弹性,信息模型必须能够指定图中每个VNF的容量、性能和弹性要求。为了满足 SLA,管理和编排系统需要监视服务图中包含的节点和链接。理论上,VNF FG 可以跨越多个网络服务提供商的设施。

VNF FG allows virtual appliances to be chained together in a flexible manner. This technique is called service chaining. For example, a flow may pass through a network monitoring VNF, a load-balancing VNF, and finally a firewall VNF in passing from one endpoint to another. The VNF FG use case is based on an information model that describes the VNFs and physical entities to the appropriate management/orchestration systems used by the service provider. The model describes the characteristics of the entities including the NFV infrastructure requirements of each VNF and all the required connections among VNFs and between VNFs and the physical network included in the IaaS service. To ensure the required performance and resiliency of the end-to-end service, the information model must be able to specify the capacity, performance and resiliency requirements of each VNF in the graph. To meet SLAs, the management and orchestration system will need to monitor the nodes and linkages included in the service graph. In theory, a VNF FG can span the facilities of multiple network service providers.

 

面向服务的用例

Service-Oriented Use Cases

 

这些用例侧重于向最终客户提供服务,其中底层基础设施是透明的。

These use cases focus on the provision of services to end customers, in which the underlying infrastructure is transparent.

 
移动核心网和IP多媒体子系统的虚拟化
 

移动蜂窝网络已经发展到包含各种互连的网络功能元素,通常涉及多种专有硬件设备。NFV 旨在利用标准 IT 虚拟化技术将不同类型的网络设备整合到位于 NFVI-PoP 中的行业标准大容量服务器、交换机和存储上,从而降低网络复杂性和相关运营问题。

Mobile cellular networks have evolved to contain a variety of interconnected network function elements, typically involving a large variety of proprietary hardware appliances. NFV aims at reducing the network complexity and related operational issues by leveraging standard IT virtualization technologies to consolidate different types of network equipment onto industry standard high-volume servers, switches, and storage, located in NFVI-PoPs.

 
移动基站虚拟化
 

该用例的重点是移动网络中的无线接入网络 (RAN) 设备。RAN 是电信系统的一部分,它实现无线技术来接入移动网络服务提供商的核心网络。它至少涉及客户端或移动设备中的硬件以及形成用于访问移动网络的基站的设备。许多 RAN 功能有可能被虚拟化为在行业标准基础设施上运行的 VNF。

The focus of this use case is radio access network (RAN) equipment in mobile networks. RAN is the part of a telecommunications system that implements a wireless technology to access the core network of the mobile network service provider. At minimum, it involves hardware on the customer premises or in the mobile device and equipment forming a base station for access to the mobile network. There is the possibility that a number of RAN functions can be virtualized as VNFs running on industry standard infrastructure.

 
家庭环境虚拟化
 

此用例涉及位于住宅位置的客户端设备 (CPE) 的网络提供商设备。这些 CPE 设备标志着运营商/服务提供商在客户端的存在,通常包括用于互联网和 IP 语音 (VoIP) 服务的住宅网关 (RGW)(例如,用于数字用户线路 [DSL] 或电缆的调制解调器/路由器) ),以及用于媒体服务的机顶盒(STB),通常支持个人视频录制(PVR)服务的本地存储。NFV 技术成为以最低成本和缩短上市时间支持从以前分散的功能集中计算工作负载的理想选择,同时可以根据需要引入新服务,并根据需要进行增长。此外,VNF 可以驻留在网络服务提供商的 PoP 中的服务上。

This use case deals with network provider equipment located as customer premises equipment (CPE) in a residential location. These CPE devices mark the operator/service provider presence at the customer premises and usually include a residential gateway (RGW) for Internet and Voice over IP (VoIP) services (for example, a modem/router for digital subscriber line [DSL] or cable), and a set-top box (STB) for media services normally supporting local storage for personal video recording (PVR) services. NFV technologies become ideal candidates to support this concentration of computation workload from formerly dispersed functions with minimal cost and improved time to market, while new services can be introduced as required on a grow-as-you-need basis. Further, the VNFs can reside on services in the network service provider’s PoP. This greatly simplifies the electronics environment of the home, reducing end user and operator capital expenditure (CapEx).

 
CDN 虚拟化
 

内容(尤其是视频)的交付是所有运营商网络面临的主要挑战之一,因为要交付给网络最终客户的流量不断增加。视频流量的增长是由以下因素驱动的:从广播到通过 IP 的单播传输的转变、用于视频消费的各种设备以及通过 IP 网络传输的视频质量在分辨率和帧速率方面的提高。

Delivery of content, especially of video, is one of the major challenges of all operator networks because of the massive growing amount of traffic to be delivered to end customers of the network. The growth of video traffic is driven by the shift from broadcast to unicast delivery via IP, by the variety of devices used for video consumption and by increasing quality of video delivered via IP networks in resolution and frame rate.

 

与当今视频流量的增长相辅相成的是,对质量的要求也在不断变化:互联网参与者越来越有能力向互联网最终用户提供直播和点播内容服务,其质量限制与传统电视服务类似。网络运营商。

Complementary to the growth of today’s video traffic, the requirements on quality are also evolving: Internet actors are more and more in position to provide both live and on-demand content services to Internet end users, with similar quality constraints as for traditional TV service of network operators.

 

一些互联网服务提供商 (ISP) 正在其网络中部署专有的内容交付网络 (CDN) 缓存节点,以改善向客户提供视频和其他高带宽服务。缓存节点通常运行在定制或行业标准服务器平台上运行的专用设备上。CDN 缓存节点和 CDN 控制节点都可以虚拟化。CDN 虚拟化的优势与其他 NFV 使用案例(例如 VNFaaS)中获得的优势类似。

Some Internet service providers (ISPs) are deploying proprietary Content Delivery Network (CDN) cache nodes in their networks to improve delivery of video and other high-bandwidth services to their customers. Cache nodes typically run on dedicated appliances running on custom or industry standard server platforms. Both CDN cache nodes and CDN control nodes can potentially be virtualized. The benefits of CDN virtualization are similar to those gained in other NFV use cases, such as VNFaaS.

 
固定接入网络功能虚拟化
 

NFV 提供了在混合光纤/铜缆接入网络和无源光网络 (PON) 光纤到户以及混合光纤/无线接入网络中虚拟化远程功能的潜力。该用例可以通过将复杂的处理移至更靠近网络的位置来节省成本。另一个好处是虚拟化支持多租户,其中可以分配多个组织实体,或者直接控制虚拟访问节点的专用分区。最后,虚拟化宽带接入节点可以通过在通用 NFV 平台框架(即通用 NFVI-PoP)中共置无线接入节点来发挥协同作用,从而提高部署经济性并降低网络的整体能耗。组合解决方案。

NFV offers the potential to virtualize remote functions in the hybrid fiber/copper access network and passive optical network (PON) fiber to the home and hybrid fiber/wireless access networks. This use case has the potential for cost savings by moving complex processing closer to the network. An additional benefit is that virtualization supports multiple tenancy, in which more than one organizational entity can either be allocated, or given direct control of, a dedicated partition of a virtual access node. Finally, virtualizing broadband access nodes can enable synergies to be exploited by the co-location of wireless access nodes in a common NFV platform framework (that is, common NFVI-PoPs), thereby improving the deployment economics and reducing the overall energy consumption of the combined solution.

 

2015 年 SDN 和 NFV 指南[ METZ14 ] 中报告并于 2014 年底进行的一项针对来自不同行业的 176 名网络专业人员的调查显示了各种用例的相对重要性。调查受访者被要求表明他们认为这两个用例将在未来两年内在市场上获得最大的吸引力。表 8.5显示了他们的回应。表 8.5中的数据表明,尽管 IT 组织对许多 ETSI 定义的用例感兴趣,但他们对 NFVIaaS 用例最感兴趣。

An indication of the relative importance of the various use cases is found in a survey of 176 network professionals from a range of industries, reported in 2015 Guide to SDN and NFV [METZ14] and conducted in late 2014. The survey respondents were asked to indicate the two use cases that they think will gain the most traction in the market over the next two years. Table 8.5 shows their responses. The data in Table 8.5 indicates that although IT organizations have interest in a number of the ETSI-defined use cases, by a wide margin they are most interested in the NFVIaaS use case.

 
图像

表 8.5对 ETSI NFV 用例的兴趣

TABLE 8.5 Interest in ETSI NFV Use Cases

 

8.5 SDN和NFV

8.5 SDN and NFV

 

过去几年,网络领域最热门的话题是SDN和NFV。不同的标准机构正在研究这两种技术,并且越来越多的提供商已经宣布或正在开发这两个领域的产品。每种技术都可以单独实施和部署,但两种技术的协调使用显然具有增加价值的潜力。随着时间的推移,SDN 和 NFV 可能会紧密互操作,以提供广泛、统一的网络基于软件的网络方法,用于抽象和编程控制网络设备和网络资源。

Over the past few years, the hottest topics in networking have been SDN and NFV. Separate standards bodies are pursuing the two technologies, and a large, growing number of providers have announced or are working on products in the two fields. Each technology can be implemented and deployed separately, but there is clearly a potential for added value by the coordinated use of both technologies. It is likely that over time, SDN and NFV will tightly interoperate to provide a broad, unified software-based networking approach to abstract and programmatically control network equipment and network-based resources.

 

SDN 和 NFV 之间的关系或许可以被视为 SDN 作为 NFV 的推动者。NFV 的一个主要挑战是如何最好地支持用户配置网络,以便服务器上运行的 VNF 在适当的位置连接到网络,并与其他 VNF 建立适当的连接,并提供所需的 QoS。通过SDN,用户和编排软件可以动态配置网络以及VNF的分布和连接。如果没有 SDN,NFV 需要更多的人工干预,尤其是当超出 NFVI 范围的资源成为环境的一部分时。

The relationship between SDN and NFV is perhaps viewed as SDN functioning as an enabler of NFV. A major challenge with NFV is to best enable the user to configure a network so that VNFs running on servers are connected to the network at the appropriate place, with the appropriate connectivity to other VNFs, and with desired QoS. With SDN, users and orchestration software can dynamically configure the network and the distribution and connectivity of VNFs. Without SDN, NFV requires much more manual intervention, especially when resources beyond the scope of NFVI are part of the environment.

 

Kemp Technologies 博客[ MCMU14 ]提供了负载平衡示例,其中负载平衡器服务作为 VNF 实体实现。如果对负载平衡容量的需求增加,网络编排层可以快速启动新的负载平衡实例,并调整网络交换基础设施以适应变化的流量模式。反过来,负载平衡 VNF 实体可以与 SDN 控制器交互,以评估网络性能和容量,并使用此附加信息更好地平衡流量,甚至请求配置附加 VNF 资源。

The Kemp Technologies Blog [MCMU14] gives the example of load balancing where load balancer services are implemented as VNF entities. If demand for load-balancing capacity increases, a network orchestration layer can rapidly spin up new load-balancing instances and also adjust the network switching infrastructure to accommodate the changed traffic patterns. In turn, the load-balancing VNF entity can interact with the SDN controller to assess network performance and capacity and use this additional information to balance traffic better, or even to request provisioning of additional VNF resources.

 

ETSI 认为 NFV 和 SDN 相辅相成的一些方式包括:

Some of the ways that ETSI believes that NFV and SDN complement each other include the following:

 

图像SDN 控制器非常适合 NFVI 网络域中网络控制器的更广泛概念。

The SDN controller fits well into the broader concept of a network controller in an NFVI network domain.

 

图像SDN 可以在物理和虚拟 NFVI 资源的编排中发挥重要作用,从而实现供应、网络连接配置、带宽分配、操作自动化、监控、安全和策略控制等功能。

SDN can play a significant role in the orchestration of the NFVI resources, both physical and virtual, enabling functionality such as provisioning, configuration of network connectivity, bandwidth allocation, automation of operations, monitoring, security, and policy control.

 

图像SDN 可以提供支持多租户 NFVI 所需的网络虚拟化。

SDN can provide the network virtualization required to support multitenant NFVIs.

 

图像转发图可以使用SDN控制器来实现,以提供服务链的自动化配置,同时确保安全和其他策略的强有力和一致的实施。

Forwarding graphs can be implemented using the SDN controller to provide automated provisioning of service chains, while ensuring strong and consistent implementation of security and other policies.

 

图像SDN 控制器可以作为 VNF 运行,也可能作为包括其他 VNF 的服务链的一部分。例如,最初开发的在 SDN 控制器上运行的应用程序和服务也可以作为单独的 VNF 来实现。

The SDN controller can be run as a VNF, possibly as part of a service chain including other VNFs. For example, applications and services originally developed to run on the SDN controller could also be implemented as separate VNFs.

 

图 8.10来自 ETSI VNF 架构文档,表明了 SDN 和 NFV 之间的潜在关系。箭头可以描述如下:

Figure 8.10, from the ETSI VNF Architecture document, indicates the potential relationship between SDN and NFV. The arrows can be described as follows:

 
图像

图 8.10 SDN 组件与 NFV 架构的映射

FIGURE 8.10 Mapping of SDN Components with NFV Architecture

 

图像支持SDN的交换机/NE包括物理交换机、管理程序虚拟交换机和NIC上的嵌入式交换机。

SDN enabled switch/NEs include physical switches, hypervisor virtual switches, and embedded switches on the NICs.

 

图像使用基础设施网络 SDN 控制器创建的虚拟网络提供 VNFC 实例之间的连接服务。

Virtual networks created using an infrastructure network SDN controller provide connectivity services between VNFC instances.

 

图像SDN 控制器可以虚拟化,作为 VNF 及其 EM 和 VNF 管理器运行。请注意,可能存在用于物理基础设施、虚拟基础设施以及虚拟和物理网络功能的SDN控制器。因此,其中一些 SDN 控制器可能驻留在 NFVI 或管理和编排 (MANO) 功能块中(图中未显示)。

SDN controller can be virtualized, running as a VNF with its EM and VNF manager. Note that there may be SDN controllers for the physical infrastructure, the virtual infrastructure, and the virtual and physical network functions. As such, some of these SDN controllers may reside in the NFVI or management and orchestration (MANO) functional blocks (not shown in figure).

 

图像支持 SDN 的 VNF 包括可能受 SDN 控制器控制的任何 VNF(例如,虚拟路由器、虚拟防火墙)。

SDN enabled VNF includes any VNF that may be under the control of an SDN controller (for example, virtual router, virtual firewall).

 

图像SDN 应用程序(例如服务链应用程序)本身可以是 VNF。

SDN applications, for example service chaining applications, can be VNF themselves.

 

图像Nf-Vi 接口允许管理支持 SDN 的基础设施。

Nf-Vi interface allows management of the SDN enabled infrastructure.

 

图像Ve-Vnfm接口用于SDN VNF(SDN控制器VNF、SDN网络功能VNF、SDN应用VNF)与其各自的VNF管理器之间进行生命周期管理。

Ve-Vnfm interface is used between the SDN VNF (SDN controller VNF, SDN network functions VNF, SDN applications VNF) and their respective VNF Manager for lifecycle management.

 

图像Vn-Nf 允许 SDN VNF 访问 VNFC 接口之间的连接服务。

Vn-Nf allows SDN VNFs to access connectivity services between VNFC interfaces.

 

8.6 关键术语

8.6 Key Terms

 

完成本章后,您应该能够定义以下术语。

After completing this chapter, you should be able to define the following terms.

 

计算域

compute domain

 

计算节点

compute node

 

容器

container

 

容器接口

container interface

 

内容分发网络 (CDN)

content delivery network (CDN)

 

深度包检测

deep packet inspection

 

元素管理

element management

 

元件管理系统(EMS)

element management system (EMS)

 

转发图(FG)

forwarding graph (FG)

 

功能块接口

functional block interface

 

网关节点

gateway node

 

管理程序

hypervisor

 

管理程序域

hypervisor domain

 

基础设施网络域 (IND)

infrastructure network domain (IND)

 

L3虚拟网络

L3 virtual network

 

分层虚拟网络

layered virtual network

 

网络接口卡

network interface card

 

网络节点

network node

 

NFV 管理和编排 (MANO)

NFV management and orchestration (MANO)

 

NFV 基础设施 (NFVI)

NFV infrastructure (NFVI)

 

NFV 协调器

NFV orchestrator

 

NFVI域

NFVI domain

 

运营支持系统

operations support system

 

参考点

reference points

 

向外扩展

scale out

 

放大

scale up

 

服务链

service chaining

 

存储节点

storage node

 

虚拟网络

virtual network

 

虚拟覆盖

virtual overlay

 

虚拟分区

virtual partition

 

虚拟化基础设施管理器

virtualized infrastructure manager

 

虚拟化

virtualization

 

虚拟化容器

virtualization container

 

虚拟化网络功能 (VNF)

virtualized network function (VNF)

 

VNF管理器

VNF manager

 

虚拟交换机

vswitch

 

8.7 参考文献

8.7 References

 

KHAN15 Khan, F. NFV 管理和编排 (MANO) 初学者指南。电信灯塔。2015 年 4 月 9 日。http ://www.telecomlighthouse.com

KHAN15: Khan, F. A Beginner’s Guide to NFV Management & Orchestration (MANO). Telecom Lighthouse. April 9, 2015. http://www.telecomlighthouse.com.

 

MCMU14 McMullin,M。“SDN 来自火星,NFV 来自金星。” Kemp Technologies 博客,2014 年 11 月 20 日。http ://kemptechnologies.com/blog/sdn-mars-nfv-venus

MCMU14: McMullin, M. “SDN is from Mars, NFV is from Venus.” Kemp Technologies Blog, November 20, 2014. http://kemptechnologies.com/blog/sdn-mars-nfv-venus.

 

METZ14a Metzler, J. 2015 年 SDN 和 NFV 指南。网络期刊,2014 年 12 月。

METZ14a: Metzler, J. The 2015 Guide to SDN and NFV. Webtorials, December 2014.

 

ONF14开放网络基金会。支持 OpenFlow 的 SDN 和网络功能虚拟化。ONF 白皮书,2014 年 2 月 17 日。

ONF14: Open Networking Foundation. OpenFlow-Enabled SDN and Network Functions Virtualization. ONF white paper, February 17, 2014.

 

第 9 章网络虚拟化

Chapter 9. Network Virtualization

 

近年来,计算机和通信系统之间建立了牢固而重要的合作伙伴关系。一方面,计算机被用来实现通信系统的深远改进,而另一方面,通信系统被用来增加和扩展计算机的效用。

In recent years a strong and significant partnership has grown up between computers and communication systems. On the one hand, computers are being used to effect far-reaching improvements in communication systems, while on the other, communication systems are being used to increase and extend the utility of computers.

 

什么可以自动化?

计算机科学与工程研究,国家科学基金会,1980

What Can Be Automated?

The Computer Science and Engineering Research Study, National Science Foundation, 1980

 

本章目标 学习完本章后,您应该能够

 

图像了解虚拟 LAN 的概念以及定义 VLAN 的三种方法。

 

图像概述 IEEE 802.1Q 标准。

 

图像解释 OpenFlow 如何支持 VLAN。

 

图像了解虚拟专用网络的概念。

 

图像定义网络虚拟化。

 

图像了解 OpenDaylight 虚拟租户网络的运作。

 

图像总结软件定义基础设施的概念。

 

图像讨论软件定义的存储。

 

Chapter Objectives: After studying this chapter, you should be able to

 

Understand the concept of a virtual LAN and the three ways of defining a VLAN.

 

Present an overview of the IEEE 802.1Q standards.

 

Explain how OpenFlow supports VLANs.

 

Understand the concept of a virtual private network.

 

Define network virtualization.

 

Understand the operation of OpenDaylight’s Virtual Tenant Network.

 

Summarize the concepts of software-defined infrastructure.

 

Discuss software-defined storage.

 
 

定义虚拟网络的机制已使用多年。虚拟网络有两个重要的好处:

Mechanisms for defining virtual networks have been in use for many years. Virtual networks have two important benefits:

 

图像它们使用户能够独立于底层物理网络构建和管理网络,并确保与使用同一物理网络的其他虚拟网络隔离。

They enable the user to construct and manage networks independent of the underlying physical network and with assurance of isolation from other virtual networks using the same physical network.

 

图像它们使网络提供商能够有效地利用网络资源来支持广泛的用户需求。

They enable network providers to efficiently use network resources to support a wide range of user requirements.

 

本章首先讨论两种成熟且广泛使用的虚拟网络技术:虚拟 LAN (VLAN) 和虚拟专用网络 (VPN)。然后本章介绍了更一般和更广泛的网络虚拟化概念。探索一个简单的示例后,您将了解网络虚拟化架构以及这种方法的优点。本章还介绍了 OpenDaylight 的虚拟租户网络,它是一种基于 VLAN 的功能,但展示了网络虚拟化的许多功能。最后,本章介绍了软件定义基础设施的概念,其中包含软件定义网络(SDN)、网络功能虚拟化(NFV)和网络虚拟化的许多概念。

The chapter begins with a discussion of two well-established and widely used virtual network techniques: virtual LANs (VLANs) and virtual private networks (VPNs). The chapter then introduces the more general and broader concept of network virtualization. After exploring a simple example, you will learn about the network virtualization architecture and the benefits of this approach. The chapter also looks at OpenDaylight’s Virtual Tenant Network, which is a VLAN-based capability, but which exhibits many of the features of network virtualization. Finally, the chapter introduces the concept of software-defined infrastructure, which encompasses many of the concepts of software-defined network (SDN), network functions virtualization (NFV), and network virtualization.

 

9.1 虚拟局域网

9.1 Virtual LANs

 

图 9.1显示了一种相对常见的分层 LAN 配置类型。在此示例中,LAN 上的设备分为四个网段,每个网段由 LAN 交换机提供服务。LAN交换机是一种存储转发数据包转发设备,用于互连多个终端系统以形成 LAN 网段。交换机可以将媒体访问控制(MAC)帧从源连接设备转发到目的地连接设备。它还可以将帧从源连接设备广播到所有其他连接设备。多个交换机可以互连,使多个LAN网段形成一个更大的LAN。LAN 交换机还可以连接到传输链路或路由器或其他网络设备,以提供与 Internet 或其他 WAN 的连接。

Figure 9.1 shows a relatively common type of hierarchical LAN configuration. In this example, the devices on the LAN are organized into four segments, each served by a LAN switch. The LAN switch is a store-and-forward packet-forwarding device used to interconnect a number of end systems to form a LAN segment. The switch can forward a media access control (MAC) frame from a source-attached device to a destination-attached device. It can also broadcast a frame from a source-attached device to all other attached devices. Multiples switches can be interconnected so that multiple LAN segments form a larger LAN. A LAN switch can also connect to a transmission link or a router or other network device to provide connectivity to the Internet or other WANs.

 
图像

图 9.1 LAN 配置

FIGURE 9.1 A LAN Configuration

 

传统上,LAN 交换机专门在 MAC 级别运行。现代 LAN 交换机通常提供更强大的功能,包括多层感知(第 3 层、第 4 层、应用程序)、服务质量 (QoS) 支持以及广域网络中继。

Traditionally, a LAN switch operated exclusively at the MAC level. Contemporary LAN switches generally provide greater functionality, including multilayer awareness (Layers 3, 4, application), quality of service (QoS) support, and trunking for wide-area networking.

 

图 9.1中的三个较低的组可能对应于物理上分离的不同部门,而较高的组可能对应于所有部门使用的集中式服务器场。

The three lower groups in Figure 9.1 might correspond to different departments, which are physically separated, and the upper group could correspond to a centralized server farm that is used by all the departments.

 

考虑从工作站 X 传输单个 MAC 帧。假设帧中的目标 MAC 地址是工作站 Y。该帧从 X 传输到本地交换机,然后本地交换机将该帧沿链路定向到 Y。如果 X 传输当帧寻址到 Z 或 W 时,其本地交换机会通过适当的交换机将 MAC 帧转发到预期目的地。所有这些都是单播寻址的示例,其中MAC帧中的目的地地址指定唯一的目的地。MAC 帧还可能包含广播地址,在这种情况下,目标 MAC 地址指示 LAN 上的所有设备都应接收该帧的副本。因此,如果 X 发送一个带有广播目标地址的帧,则所有交换机上的所有设备图9.1接收帧的副本。相互接收广播帧的设备的总集合称为广播域

Consider the transmission of a single MAC frame from workstation X. Suppose the destination MAC address in the frame is workstation Y. This frame is transmitted from X to the local switch, which then directs the frame along the link to Y. If X transmits a frame addressed to Z or W, its local switch forwards the MAC frame through the appropriate switches to the intended destination. All these are examples of unicast addressing, in which the destination address in the MAC frame designates a unique destination. A MAC frame may also contain a broadcast address, in which case the destination MAC address indicates that all devices on the LAN should receive a copy of the frame. Thus, if X transmits a frame with a broadcast destination address, all the devices on all the switches in Figure 9.1 receive a copy of the frame. The total collection of devices that receive broadcast frames from each other is referred to as a broadcast domain.

 

在许多情况下,广播帧用于具有相对本地意义的目的,例如网络管理或某种类型的警报的传输。因此,在图 9.1中,如果广播帧包含仅对特定部门有用的信息,则 LAN 的其他部分和其他交换机上的传输容量就会被浪费。

In many situations, a broadcast frame is used for a purpose, such as network management or the transmission of some type of alert, with a relatively local significance. Thus, in Figure 9.1, if a broadcast frame has information that is useful only to a particular department, transmission capacity is wasted on the other portions of the LAN and on the other switches.

 

提高效率的一种简单方法是将 LAN 物理划分为单独的广播域,如图9.2所示。我们现在有四个通过路由器连接的独立 LAN。在这种情况下,来自X的广播帧仅发送到与X直接连接到同一交换机的其他设备。来自X的发往Z的IP数据包按如下方式处理。X 处的 IP 层确定到目的地的下一跳是通过路由器 V。此信息被传递到 X 的 MAC 层,该层准备一个带有路由器 V 的目标 MAC 地址的 MAC 帧。当 V 收到该帧时,它会剥离该帧。关闭 MAC 标头,确定目的地,并且将 IP 数据包封装在目标 MAC 地址为 Z 的 MAC 帧中。然后将该帧发送到相应的以太网交换机进行传送。

One simple approach to improving efficiency is to physically partition the LAN into separate broadcast domains, as shown in Figure 9.2. We now have four separate LANs connected by a router. In this case, a broadcast frame from X is transmitted only to the other devices directly connected to the same switch as X. An IP packet from X intended for Z is handled as follows. The IP layer at X determines that the next hop to the destination is via router V. This information is handed down to X’s MAC layer, which prepares a MAC frame with a destination MAC address of router V. When V receives the frame, it strips off the MAC header, determines the destination, and encapsulates the IP packet in a MAC frame with a destination MAC address of Z. This frame is then sent to the appropriate Ethernet switch for delivery.

 
图像

图 9.2分区 LAN

FIGURE 9.2 A Partitioned LAN

 

这种方法的缺点是流量模式可能与设备的物理分布不对应。例如,某些部门工作站可能会与其中一台中央服务器产生大量流量。此外,随着网络的扩展,需要更多的路由器将用户分成广播域并提供广播域之间的连接。路由器比交换机引入更多的延迟,因为路由器必须处理更多数据包以确定目的地并将数据路由到适当的终端节点。

The drawback to this approach is that the traffic pattern may not correspond to the physical distribution of devices. For example, some departmental workstations may generate a lot of traffic with one of the central servers. Further, as the networks expand, more routers are needed to separate users into broadcast domains and provide connectivity among broadcast domains. Routers introduce more latency than switches because the router must process more of the packet to determine destinations and route the data to the appropriate end node.

 

虚拟 LAN 的使用

The Use of Virtual LANs

 

更有效的替代方案是创建 VLAN。本质上,虚拟局域网(VLAN)是 LAN 内的逻辑子组,由软件而不是通过物理移动和分离设备创建。它将用户站和网络设备组合到一个广播域中,无论它们连接到哪个物理 LAN 段,并允许流量在共同感兴趣的群体内更有效地流动。VLAN 逻辑在 LAN 交换机中实现,并在 MAC 层发挥作用。由于目标是隔离 VLAN 内的流量,因此需要路由器将一个 VLAN 链接到另一个 VLAN。路由器可以实现为单独的设备,以便从一个 VLAN 到另一个 VLAN 的流量被定向到路由器,或者路由器逻辑可以实现为 LAN 交换机的一部分,如图 9.3所示

A more effective alternative is the creation of VLANs. In essence, a virtual local-area network (VLAN) is a logical subgroup within a LAN that is created by software rather than by physically moving and separating devices. It combines user stations and network devices into a single broadcast domain regardless of the physical LAN segment they are attached to and allows traffic to flow more efficiently within populations of mutual interest. The VLAN logic is implemented in LAN switches and functions at the MAC layer. Because the objective is to isolate traffic within the VLAN, a router is required to link from one VLAN to another. Routers can be implemented as separate devices, so that traffic from one VLAN to another is directed to a router, or the router logic can be implemented as part of the LAN switch, as shown in Figure 9.3.

 
图像

图 9.3 VLAN 配置

FIGURE 9.3 A VLAN Configuration

 

VLAN 使任何组织能够在物理上分散在整个公司中,同时保持其组标识。例如,会计人员可以位于车间、研发中心、现金支付办公室和公司办公室,而所有成员都驻留在同一个虚拟网络中,仅彼此共享流量。

VLANs enable any organization to be physically dispersed throughout the company while maintaining its group identity. For example, accounting personnel can be located on the shop floor, in the research and development center, in the cash disbursement office, and in the corporate offices, while all members reside on the same virtual network, sharing traffic only with each other.

 

图 9.3显示了五个定义的 VLAN。从工作站 X 到服务器 Z 的传输位于同一 VLAN 内,因此可以在 MAC 级别进行有效交换。来自 X 的广播 MAC 帧将传输到同一 VLAN 的所有部分中的所有设备。但是从 X 到打印机 Y 的传输是从一个 VLAN 到另一个 VLAN。因此,需要 IP 级别的路由器逻辑将 IP 数据包从 X 移动到 Y。图 9.3显示了集成到交换机中的逻辑,以便交换机确定传入的 MAC 帧是否发往同一 VLAN 上的另一个设备。如果不是,交换机将在 IP 级别路由所包含的 IP 数据包。

Figure 9.3 shows five defined VLANs. A transmission from workstation X to server Z is within the same VLAN, so it is efficiently switched at the MAC level. A broadcast MAC frame from X is transmitted to all devices in all portions of the same VLAN. But a transmission from X to printer Y goes from one VLAN to another. Accordingly, router logic at the IP level is required to move the IP packet from X to Y. Figure 9.3 shows that logic integrated into the switch, so that the switch determines whether the incoming MAC frame is destined for another device on the same VLAN. If not, the switch routes the enclosed IP packet at the IP level.

 

定义 VLAN

Defining VLANs

 

VLAN 是由一组终端站组成的广播域,这些终端站可能位于多个物理 LAN 网段上,不受其物理位置的限制,并且可以像在公共 LAN 上一样进行通信。因此需要一些方法来定义 VLAN 成员资格。定义成员资格使用了多种不同的方法,包括:

A VLAN is a broadcast domain consisting of a group of end stations, perhaps on multiple physical LAN segments, that are not constrained by their physical location and can communicate as if they were on a common LAN. Some means is therefore needed for defining VLAN membership. A number of different approaches have been used for defining membership, including the following:

 

图像 按端口组划分的成员资格:LAN 配置中的每个交换机都包含两种类型的端口:中继端口,连接两个交换机;和一个结束端口,将交换机连接到终端系统。可以通过将每个终端端口分配给特定 VLAN 来定义 VLAN。这种方法的优点是配置相对容易。主要缺点是当终端系统从一个端口移动到另一个端口时,网络管理员必须重新配置 VLAN 成员资格。

Membership by port group: Each switch in the LAN configuration contains two types of ports: a trunk port, which connects two switches; and an end port, which connects the switch to an end system. A VLAN can be defined by assigning each end port to a specific VLAN. This approach has the advantage that it is relatively easy to configure. The principle disadvantage is that the network manager must reconfigure VLAN membership when an end system moves from one port to another.

 

图像 按 MAC 地址的成员身份:由于 MAC 层地址硬连线到工作站的网络接口卡 (NIC) 中,因此基于 MAC 地址的 VLAN 使网络管理员能够将工作站移动到网络上的不同物理位置,并让该工作站自动保留其 VLAN 成员身份。此方法的主要问题是必须首先分配 VLAN 成员资格。在拥有数千用户的网络中,这并不是一件容易的事。此外,在使用笔记本电脑的环境中,MAC 地址与扩展坞相关联,而不是与笔记本电脑相关联。因此,当笔记本电脑移动到不同的坞站时,必须重新配置其 VLAN 成员资格。

Membership by MAC address: Because MAC layer addresses are hardwired into the workstation’s network interface card (NIC), VLANs based on MAC addresses enable network managers to move a workstation to a different physical location on the network and have that workstation automatically retain its VLAN membership. The main problem with this method is that VLAN membership must be assigned initially. In networks with thousands of users, this is no easy task. Also, in environments where notebook PCs are used, the MAC address is associated with the docking station and not with the notebook PC. Consequently, when a notebook PC is moved to a different docking station, its VLAN membership must be reconfigured.

 

图像 基于协议信息的成员资格:VLAN 成员资格可以基于 IP 地址、传输协议信息甚至更高层协议信息进行分配。这是一种相当灵活的方法,但它确实需要交换机检查 MAC 层之上的 MAC 帧部分,这可能会对性能产生影响。

Membership based on protocol information: VLAN membership can be assigned based on IP address, transport protocol information, or even higher-layer protocol information. This is a quite flexible approach, but it does require switches to examine portions of the MAC frame above the MAC layer, which may have a performance impact.

 

通信 VLAN 成员资格

Communicating VLAN Membership

 

当网络流量从其他交换机到达时,交换机必须有一种方法来了解 VLAN 成员身份(即哪些站属于哪个 VLAN);否则,VLAN 将仅限于单个交换机。一种可能性是手动配置信息或使用某种类型的网络管理信令协议配置信息,以便交换机可以将传入帧与适当的 VLAN 相关联。

Switches must have a way of understanding VLAN membership (that is, which stations belong to which VLAN) when network traffic arrives from other switches; otherwise, VLANs would be limited to a single switch. One possibility is to configure the information manually or with some type of network management signaling protocol, so that switches can associate incoming frames with the appropriate VLAN.

 

更常见的方法是帧标记,其中通常将标头插入到交换机间干线上的每个帧中,以唯一标识特定 MAC 层帧所属的 VLAN。IEEE 802委员会制定了帧标记标准IEEE 802.1Q,我们接下来将对其进行研究。

A more common approach is frame tagging, in which a header is typically inserted into each frame on interswitch trunks to uniquely identify to which VLAN a particular MAC-layer frame belongs. The IEEE 802 committee has developed a standard for frame tagging, IEEE 802.1Q, which we examine next.

 

IEEE 802.1Q VLAN 标准

IEEE 802.1Q VLAN Standard

 

IEEE 802.1Q 标准于 2014 年最新更新,定义了 VLAN 桥接器和交换机的操作,允许在桥接/交换 LAN 基础设施内定义、操作和管理 VLAN 拓扑。在本节中,我们将重点讨论该标准在802.3 LAN中的应用。

The IEEE 802.1Q standard, last updated in 2014, defines the operation of VLAN bridges and switches that permits the definition, operation, and administration of VLAN topologies within a bridged/switched LAN infrastructure. In this section, we concentrate on the application of this standard to 802.3 LANs.

 

回想一下,VLAN 是一个管理配置的广播域,由连接到 LAN 的终端站的子集组成。VLAN 不仅限于一台交换机,还可以跨越多台互连的交换机。在这种情况下,交换机之间的流量必须指示 VLAN 成员资格。在 802.1Q 中,这是通过插入带有 VLAN 标识符 (VID) 的标签来实现的,其值范围为 1 到 4094。LAN 配置中的每个 VLAN 都分配有一个全局唯一的 VID。通过将相同的 VID 分配给许多交换机上的终端系统,可以将一个或多个 VLAN 广播域扩展到大型网络。

Recall that a VLAN is an administratively configured broadcast domain, consisting of a subset of end stations attached to a LAN. A VLAN is not limited to one switch but can span multiple interconnected switches. In that case, traffic between switches must indicate VLAN membership. This is accomplished in 802.1Q by inserting a tag with a VLAN identifier (VID) with a value in the range from 1 to 4094. Each VLAN in a LAN configuration is assigned a globally unique VID. By assigning the same VID to end systems on many switches, one or more VLAN broadcast domains can be extended across a large network.

 

图9.4显示了802.1标签的位置和内容,称为标签控制信息(TCI)。通过在 802.3 MAC 帧中插入值为 8100 十六进制的长度/类型字段来指示两个八位字节 TCI 字段的存在。TCI 由三个子字段组成,如下面的列表中所述。

Figure 9.4 shows the position and content of the 802.1 tag, referred to as Tag Control Information (TCI). The presence of the two-octet TCI field is indicated by inserting a Length/Type field in the 802.3 MAC frame with a value of 8100 hex. The TCI consists of three subfields, as described in the list that follows.

 
图像

图 9.4带标记的 IEEE 802.3 MAC 帧格式

FIGURE 9.4 Tagged IEEE 802.3 MAC Frame Format

 

图像 用户优先级(3 位):该帧的优先级。

User priority (3 bits): The priority level for this frame.

 

图像 规范格式指示符(1 位):对于以太网交换机始终设置为 0。CFI 用于以太网类型网络和令牌环类型网络之间的兼容性。如果以太网端口接收到的帧的 CFI 设置为 1,则不应将该帧转发到未标记的端口。

Canonical format indicator (1 bit): Is always set to 0 for Ethernet switches. CFI is used for compatibility between Ethernet type networks and Token Ring type networks. If a frame received at an Ethernet port has a CFI set to 1, that frame should not be forwarded as it is to an untagged port.

 

图像 VLAN 标识符(12 位): VLAN 的标识。在4096个可能的VID中,VID为0用于标识TCI仅包含优先级值,并且4095(0xFFF)被保留,因此最大可能的VLAN配置数为4094。

VLAN identifier (12 bits): The identification of the VLAN. Of the 4096 possible VIDs, a VID of 0 is used to identify that the TCI contains only a priority value, and 4095 (0xFFF) is reserved, so the maximum possible number of VLAN configurations is 4094.

 

图 9.5显示了一个 LAN 配置,其中包括三台实现 802.1Q 的交换机和一台不实现 802.1Q 的“传统”交换机。在这种情况下,遗留设备的所有终端系统必须属于同一VLAN。在支持 VLAN 的交换机之间穿过中继的 MAC 帧包含 802.1Q TCI 标记。在将帧转发到传统交换机之前,该标签会被剥离。对于连接到 VLAN 感知交换机的终端系统,MAC 帧可能包含也可能不包含 TCI 标签,具体取决于实施情况。重要的一点是,TCI 标记用于 VLAN 感知交换机之间,以便可以执行适当的路由和帧处理。

Figure 9.5 illustrates a LAN configuration that includes three switches that implement 802.1Q and one “legacy” switch that does not. In this case, all the end systems of the legacy device must belong to the same VLAN. The MAC frames that traverse trunks between VLAN-aware switches include the 802.1Q TCI tag. This tag is stripped off before a frame is forwarded to a legacy switch. For end systems connected to a VLAN-aware switch, the MAC frame may or may not include the TCI tag, depending on the implementation. The important point is that the TCI tag is used between VLAN-aware switches so that appropriate routing and frame handling can be performed.

 
图像

图 9.5使用 802.1Q 和传统交换机的 VLAN 配置

FIGURE 9.5 A VLAN Configuration with 802.1Q and Legacy Switches

 

嵌套 VLAN

Nested VLANs

 

最初的 802.1Q 规范允许将单个 VLAN 标记字段插入到以太网 MAC 帧中。该标准的最新版本允许插入两个 VLAN 标记字段,从而允许在单个 VLAN 内定义多个子 VLAN。这种额外的灵活性在某些复杂的配置中可能很有用。

The original 802.1Q specification allowed for a single VLAN tag field to be inserted into an Ethernet MAC frame. More recent versions of the standard allow for the insertion of two VLAN tag fields, allowing the definition of multiple sub-VLANs within a single VLAN. This additional flexibility might be useful in some complex configurations.

 

例如,单个 VLAN 级别足以完全在单个场所进行以太网配置。然而,企业利用网络服务提供商来互连多个 LAN 位置并使用城域以太网链路连接到提供商的情况并不罕见。服务提供商的多个客户可能希望在服务提供商网络 (SPN) 上使用 802.1Q 标记设施。

For example, a single VLAN level suffices for an Ethernet configuration entirely on a single premises. However, it is not uncommon for an enterprise to make use of a network service provider to interconnect multiple LAN locations, and to use metropolitan area Ethernet links to connect to the provider. Multiple customers of the service provider may wish to use the 802.1Q tagging facility across the service provider network (SPN).

 

一种可能的方法是让客户的 VLAN 对服务提供商可见。在这种情况下,服务提供商只能为其所有客户支持总共 4094 个 VLAN。相反,服务提供商会在以太网帧中插入第二个 VLAN 标记。例如,考虑拥有多个站点的两个客户,它们都使用相同的 SPN(参见图 9.6的 a 部分))。客户A站点配置了VLAN 1~100,客户B站点配置了VLAN 1~50。当客户的标记数据帧穿过服务提供商的网络时,必须将其分开。通过为客户的流量关联另一个 VLAN,可以识别客户的数据帧并将其保持分离。这会导致带标签的客户数据帧在穿过 SPN 时再次被加上 VLAN 标签(参见图 9.6的 b 部分)。当数据再次进入客户网络时,附加标签将在 SPN 边缘被删除。打包 VLAN 标记称为 VLAN 堆叠或 Q-in-Q。

One possible approach is for the customer’s VLANs to be visible to the service provider. In that case, the service provider could support a total of only 4094 VLANs for all its customers. Instead, the service provider inserts a second VLAN tag into Ethernet frames. For example, consider two customers with multiple sites, both of which use the same SPN (see part a of Figure 9.6). Customer A has configured VLANs 1 to 100 at their sites, and similarly Customer B has configured VLANs 1 to 50 at their sites. The tagged data frames belonging to the customers must be kept separate while they traverse the service provider’s network. The customer’s data frame can be identified and kept separate by associating another VLAN for that customer’s traffic. This results in the tagged customer data frame being tagged again with a VLAN tag, when it traverses the SPN (see part b of Figure 9.6). The additional tag is removed at the edge of the SPN when the data enters the customer’s network again. Packed VLAN tagging is known as VLAN stacking or as Q-in-Q.

 
图像

图 9.6堆叠 VLAN 标签的使用

FIGURE 9.6 Use of Stacked VLAN Tags

 

9.2 OpenFlow VLAN 支持

9.2 OpenFlow VLAN Support

 

传统的 802.1Q VLAN 要求网络交换机完全了解 VLAN 映射。该知识可以手动配置或自动获取。另一个缺点与定义组成员身份的三种方式(端口组、MAC 地址、协议信息)中的一种的选择有关。网络管理员必须根据他们希望部署的网络类型来评估权衡,并选择一种可能的方法。使用传统网络设备部署更灵活的 VLAN 定义甚至自定义定义(例如,使用 IP 地址和端口的组合)将很困难。对于管理员来说,重新配置 VLAN 也是一项艰巨的任务:每当虚拟机迁移时,都必须重新配置多个交换机和路由器。

A traditional 802.1Q VLAN requires that the network switches have a complete knowledge of the VLAN mapping. This knowledge may be manually configured or acquired automatically. Another drawback is related to the choice of one of three ways of defining group membership (port group, MAC address, protocol information). The network administrator must evaluate the trade-offs according to the type of network they wish to deploy and choose one of the possible approaches. It would be difficult to deploy a more flexible definition of a VLAN or even a custom definition (for example, use a combination of IP addresses and ports) with traditional networking devices. Reconfiguring VLANs is also a daunting task for administrators: Multiple switches and routers have to be reconfigured whenever VMs are relocated.

 

SDN,特别是 OpenFlow,允许更灵活地管理和控制 VLAN。应该清楚OpenFlow如何基于一个或两个VLAN标签建立用于转发的流表条目,以及如何添加、修改和删除标签。

SDN, and in particular OpenFlow, allows for much more flexible management and control of VLANs. It should be clear how OpenFlow can set up flow table entries for forwarding based on one or both VLAN tags, and how tags can be added, modified, and removed.

 

9.3 虚拟专用网络

9.3 Virtual Private Networks

 

在当今的分布式计算环境中,虚拟专用网络(VPN)为网络管理员提供了一个有吸引力的解决方案。VPN 是在公共网络(运营商网络或互联网)内配置的专用网络,以利用大型网络的规模经济和管理设施。VPN 被企业广泛用于创建跨越较大地理区域的 WAN,为分支机构提供站点到站点的连接,并允许移动用户拨号连接其公司 LAN。从提供商的角度来看,公共网络设施由许多客户共享,每个客户的流量与其他流量隔离。指定为 VPN 流量的流量只能从同一 VPN 中的 VPN 源发送到目的地。通常情况下,会为 VPN 提供加密和身份验证设施。

In today’s distributed computing environment, the virtual private network (VPN) offers an attractive solution to network managers. A VPN is a private network that is configured within a public network (a carrier’s network or the Internet) to take advantage of the economies of scale and management facilities of large networks. VPNs are widely used by enterprises to create WANs that span large geographic areas, to provide site-to-site connections to branch offices, and to allow mobile users to dial up their company LANs. From the point of view of the provider, the public network facility is shared by many customers, with the traffic of each customer segregated from other traffic. Traffic designated as VPN traffic can only go from a VPN source to a destination in the same VPN. It is often the case that encryption and authentication facilities are provided for the VPN.

 

企业使用VPN的典型场景如下。在每个公司站点,一个或多个 LAN 连接工作站、服务器和数据库。LAN 由企业控制,可以进行配置和调整以获得经济高效的性能。通过互联网或其他公共网络的 VPN 可用于互连站点,与使用专用网络相比可节省成本,并将 WAN 管理任务转移给公共网络提供商。该公共网络为远程办公人员和其他移动员工提供了从远程站点登录公司系统的访问路径。

A typical scenario for an enterprise that uses VPNs is the following. At each corporate site, one or more LANs link workstations, servers, and databases. The LANs are under the control of the enterprise and can be configured and tuned for cost-effective performance. VPNs over the Internet or some other public network can be used to interconnect sites, providing a cost savings over the use of a private network and offloading the WAN management task to the public network provider. That same public network provides an access path for telecommuters and other mobile employees to log on to corporate systems from remote sites.

 

VPN 主题极其复杂,本节只能简要概述创建 VPN 的两种最常用技术:IP 安全 (IPsec)和多协议标签交换 (MPLS)。

The subject of VPNs is extraordinarily complex and this section can only provide a concise overview of the two most common technologies for creating VPNs: IP security (IPsec) and Multiprotocol Label Switching (MPLS).

 

IPsec VPN

IPsec VPNs

 

使用共享网络(例如互联网或公共运营商网络)作为企业网络架构的一部分会使企业流量遭到窃听,并为未经授权的用户提供入口点。为了解决这个问题,可以使用IPsec来构建VPN。IPsec 能够支持这些不同应用的主要功能是它可以在 IP 级别对流量进行加密/身份验证。因此,所有分布式应用程序,包括远程登录、客户端/服务器、电子邮件、文件传输、Web 访问等,都可以得到保护。

Use of a shared network, such as the Internet or a public carrier network, as part of an enterprise network architecture exposes corporate traffic to eavesdropping and provides an entry point for unauthorized users. To counter this problem, IPsec can be used to construct VPNs. The principal feature of IPsec that enables it to support these varied applications is that it can encrypt/authenticate traffic at the IP level. Therefore, all distributed applications, including remote logon, client/server, e-mail, file transfer, web access, and so on, can be secured.

 

图 9.7的 a 部分显示了称为隧道模式的 IPsec 选项的数据包格式。隧道模式利用组合的认证/加密功能IPsec 称为封装安全有效负载 (ESP),并具有密钥交换功能。对于 VPN,通常需要身份验证和加密,因为 (1) 确保未经授权的用户不会渗透 VPN,以及 (2) 确保 Internet 上的窃听者无法读取通过 VPN 发送的消息都很重要。

Part a of Figure 9.7 shows the packet format for an IPsec option known as tunnel mode. Tunnel mode makes use of the combined authentication/encryption function IPsec called Encapsulating Security Payload (ESP), and a key exchange function. For VPNs, both authentication and encryption are generally desired, because it is important both to (1) ensure that unauthorized users do not penetrate the VPN, and (2) ensure that eavesdroppers on the Internet cannot read messages sent over the VPN.

 
图像

图 9.7 IPsec VPN 场景

FIGURE 9.7 An IPsec VPN Scenario

 

图 9.7的 b 部分是 IPsec 使用的典型场景。组织在分散的地点维护 LAN。非安全 IP 流量在每个 LAN 上进行。对于异地流量,通过某种私有或公共 WAN,使用 IPsec 协议。这些协议在将每个 LAN 连接到外部世界的网络设备(例如路由器或防火墙)中运行。IPsec 网络设备通常会对进入 WAN 的所有流量进行加密,并对来自 WAN 的流量进行解密和身份验证;这些操作对于 LAN 上的工作站和服务器是透明的。连接到 WAN 的个人用户也可以进行安全传输。此类用户工作站必须实施 IPsec 协议以提供安全性。

Part b of Figure 9.7 is a typical scenario of IPsec usage. An organization maintains LANs at dispersed locations. Nonsecure IP traffic is conducted on each LAN. For traffic offsite, through some sort of private or public WAN, IPsec protocols are used. These protocols operate in networking devices, such as a router or firewall, that connect each LAN to the outside world. The IPsec networking device will typically encrypt all traffic going into the WAN, and decrypt and authenticate traffic coming from the WAN; these operations are transparent to workstations and servers on the LAN. Secure transmission is also possible with individual users who connect to the WAN. Such user workstations must implement the IPsec protocols to provide security.

 

使用IPsec构建VPN有以下好处:

Using IPsec to construct a VPN has the following benefits:

 

图像当 IPsec 在防火墙或路由器中实施时,它提供了强大的安全性,可应用于穿越边界的所有流量。公司或工作组内的流量不会产生安全相关处理的开销。

When IPsec is implemented in a firewall or router, it provides strong security that can be applied to all traffic crossing the perimeter. Traffic within a company or workgroup does not incur the overhead of security-related processing.

 

图像如果来自外部的所有流量都必须使用 IP,并且防火墙是从 Internet 进入组织的唯一入口,则防火墙中的 IPsec 难以绕过。

IPsec in a firewall is resistant to bypass if all traffic from the outside must use IP and the firewall is the only means of entrance from the Internet into the organization.

 

图像IPsec 位于传输层(TCP、UDP)之下,因此对应用程序是透明的。当在防火墙或路由器中实施 IPsec 时,无需更改用户或服务器系统上的软件。即使在终端系统中实施IPsec,上层软件(包括应用程序)也不会受到影响。

IPsec is below the transport layer (TCP, UDP) and so is transparent to applications. There is no need to change software on a user or server system when IPsec is implemented in the firewall or router. Even if IPsec is implemented in end systems, upper-layer software, including applications, is not affected.

 

图像IPsec 对于最终用户来说是透明的。无需对用户进行安全机制培训、为每个用户颁发密钥材料或在用户离开组织时撤销密钥材料。

IPsec can be transparent to end users. There is no need to train users on security mechanisms, issue keying material on a per-user basis, or revoke keying material when users leave the organization.

 

图像如果需要,IPsec 可以为个人用户提供安全性。这对于异地工作人员以及在组织内为敏感应用程序设置安全虚拟子网非常有用。

IPsec can provide security for individual users if needed. This is useful for offsite workers and for setting up a secure virtual subnetwork within an organization for sensitive applications.

 

MPLS VPN

MPLS VPNs

 

另一种流行的构建 VPN 的方法是使用 MPLS。本讨论首先简要概述 MPLS,然后概述使用 MPLS 实现 VPN 的两种最常见方法:第 2 层 VPN (L2VPN) 和第 3 层 VPN (L3VPN)。

An alternative, and popular, means of constructing VPNs is using MPLS. This discussion begins with a brief summary of MPLS, followed by a an overview of two of the most common approaches to VPN implementation using MPLS: the Layer 2 VPN (L2VPN) and the Layer 3 VPN (L3VPN).

 
MPLS概述
 

多协议标签交换 (MPLS)是一组互联网工程任务组 (IETF) 规范,用于在数据包中包含路由和流量工程信息。MPLS由许多相互关联的协议组成,可以称为MPLS协议族。它可用于 IP 网络,也可用于其他类型的数据包交换网络。MPLS 用于确保特定流中的所有数据包在骨干网上采用相同的路由。多家电信公司部署对于公司和服务提供商来说,MPLS 提供支持实时语音和视频所需的 QoS 以及保证带宽的服务级别协议 (SLA)。

Multiprotocol Label Switching (MPLS) is a set of Internet Engineering Task Force (IETF) specifications for including routing and traffic engineering information in packets. MPLS comprises a number of interrelated protocols, which can be referred to as the MPLS protocol suite. It can be used in IP networks but also in other types of packet-switching networks. MPLS is used to ensure that all packets in a particular flow take the same route over a backbone. Deployed by many telecommunication companies and service providers, MPLS delivers the QoS required to support real-time voice and video as well as service level agreements (SLAs) that guarantee bandwidth.

 

本质上,MPLS 是一种转发和路由数据包的有效技术。MPLS 在设计时考虑了 IP 网络,但该技术可以在没有 IP 的情况下使用任何链路层协议构建网络。在普通的数据包交换网络中,数据包交换机必须检查数据包标头中的各个字段,以确定目的地、路由、QoS 以及可能支持的任何流量管理功能(例如丢弃或延迟)。类似地,在基于 IP 的网络中,路由器检查 IP 标头中的多个字段以确定这些功能。在MPLS网络中,固定长度的标签封装IP报文或数据链路帧。MPLS 标签包含支持 MPLS 的路由器执行路由、传送、QoS 和流量管理功能所需的所有信息。与 IP 不同,MPLS 是面向连接的。

In essence, MPLS is an efficient technique for forwarding and routing packets. MPLS was designed with IP networks in mind, but the technology can be used without IP to construct a network with any link-level protocol. In an ordinary packet-switching network, packet switches must examine various fields within the packet header to determine destination, route, QoS, and any traffic management functions (such as discard or delay) that may be supported. Similarly, in an IP-based network, routers examine a number of fields in the IP header to determine these functions. In an MPLS network, a fixed-length label encapsulates an IP packet or a data link frame. The MPLS label contains all the information needed by an MPLS-enabled router to perform routing, delivery, QoS, and traffic management functions. Unlike IP, MPLS is connection oriented.

 

MPLS 网络或互联网由一组称为标签交换路由器 (LSR)的节点组成,这些节点能够根据附加到每个数据包的标签来交换和路由数据包。标签定义两个端点之间的数据包流,或者在多播的情况下,定义源端点和目标端点的多播组之间的数据包流。对于每个不同的流(称为转发等价类 (FEC)),定义了通过 LSR 网络的特定路径,称为标签交换路径 (LSP)。本质上,FEC 代表一组共享相同传输要求的数据包。FEC 中的所有数据包在到达目的地的途中都会受到相同的处理。这些数据包遵循相同的路径,并在每一跳接受相同的 QoS 处理。与普通 IP 网络中的转发相反,当数据包进入 MPLS 路由器网络时,将特定数据包分配给特定 FEC 仅执行一次。

An MPLS network or internet consists of a set of nodes, called label-switching routers (LSRs) capable of switching and routing packets on the basis of a label appended to each packet. Labels define a flow of packets between two endpoints or, in the case of multicast, between a source endpoint and a multicast group of destination endpoints. For each distinct flow, called a forwarding equivalence class (FEC), a specific path through the network of LSRs is defined, called a label-switched path (LSP). In essence, an FEC represents a group of packets that share the same transport requirements. All packets in an FEC receive the same treatment en route to the destination. These packets follow the same path and receive the same QoS treatment at each hop. In contrast to forwarding in ordinary IP networks, the assignment of a particular packet to a particular FEC is done just once, when the packet enters the network of MPLS routers.

 

下面的列表基于 RFC 4026(提供商配置的虚拟专用网络术语)定义了以下讨论中使用的关键 VPN 术语:

The list that follows, based on RFC 4026, Provider Provisioned Virtual Private Network Terminology, defines key VPN terms used in the following discussion:

 

图像 连接电路(AC):在二层VPN中,CE通过AC连接到PE。AC可以是物理链路或逻辑链路。

Attachment circuit (AC): In a Layer 2 VPN, the CE is attached to PE via an AC. The AC may be a physical or logical link.

 

图像 客户边缘 (CE):客户端上连接到提供商提供的 VPN 的一个或一组设备。

Customer edge (CE): A device or set of devices on the customer premises that attaches to a provider-provisioned VPN.

 

图像 第 2 层 VPN (L2VPN): L2VPN 基于第 2 层地址互连多组主机和路由器。

Layer 2 VPN (L2VPN): An L2VPN interconnects sets of hosts and routers based on Layer 2 addresses.

 

图像 第 3 层 VPN (L3VPN): L3VPN 基于第 3 层地址互连多组主机和路由器。

Layer 3 VPN (L3VPN): An L3VPN interconnects sets of hosts and routers based on Layer 3 addresses.

 

图像 分组交换网络(PSN):通过其建立支持VPN 服务的隧道的网络。

Packet-switched network (PSN): A network through which the tunnels supporting the VPN services are set up.

 

图像 提供商边缘 (PE):位于提供商网络边缘的设备或一组设备,具有与客户交互所需的功能。

Provider edge (PE): A device or set of devices at the edge of the provider network with the functionality that is needed to interface with the customer.

 

图像 隧道:通过 PSN 的连接,用于通过网络将流量从一个 PE 发送到另一个 PE。隧道提供了一种将数据包从一个 PE 传输到另一个 PE 的方法。基于隧道复用器将一个客户的流量与另一客户的流量分离

Tunnel: Connectivity through a PSN that is used to send traffic across the network from one PE to another. The tunnel provides a means to transport packets from one PE to another. Separation of one customer’s traffic from another customer’s traffic is done based on tunnel multiplexers

 

图像 隧道多路复用器:与穿过隧道的数据包一起发送的实体,可以决定数据包属于哪个服务实例以及从哪个发送者接收该数据包。在 MPLS 网络中,隧道复用器被格式化为 MPLS 标签。

Tunnel multiplexer: An entity that is sent with the packets traversing the tunnel to make it possible to decide which instance of a service a packet belongs to and from which sender it was received. In an MPLS network, the tunnel multiplexor is formatted as an MPLS label.

 

图像 虚拟通道 (VC): VC 在隧道内传输并由其隧道复用器识别。在启用 MPLS 的 IP 网络中,VC 标签是用于识别属于特定 VPN 的隧道内流量的 MPLS 标签;也就是说,VC标签是使用MPLS标签的网络中的隧道复用器。

Virtual channel (VC): A VC is transported within a tunnel and identified by its tunnel multiplexer. In an MPLS-enabled IP network, a VC label is an MPLS label used to identify traffic within a tunnel that belongs to a particular VPN; that is, the VC label is the tunnel multiplexer in networks that use MPLS labels.

 

图像 虚拟专用网络 (VPN):一个通用术语,涵盖使用公共或专用网络来创建与其他网络用户分开的用户组,并且可以像在专用网络上一样在这些用户之间进行通信。

Virtual private network (VPN): A generic term that covers the use of public or private networks to create groups of users that are separated from other network users and that may communicate among them as if they were on a private network.

 
二层 MPLS VPN
 

通过第 2 层 MPLS VPN,客户网络和提供商网络之间具有相互透明性。实际上,客户请求在连接到提供商网络的客户交换机之间建立单播 LSP 网格。每个LSP 都被客户视为第2 层电路。在 L2VPN 中,提供商的设备根据第 2 层标头中的信息(例如以太网 MAC 地址)转发客户数据。

With a Layer 2 MPLS VPN, there is mutual transparency between the customer network and the provider network. In effect, the customer requests a mesh of unicast LSPs among customer switches that attach to the provider network. Each LSP is viewed as a Layer 2 circuit by the customer. In an L2VPN, the provider’s equipment forwards customer data based on information in the Layer 2 headers, such as an Ethernet MAC address.

 

图 9.8描述了 L2VPN 中的关键元素。客户通过第 2 层设备(例如以太网交换机)连接到提供商;连接MPLS网络的客户设备通常称为客户边缘(CE)设备。MPLS边缘路由器被称为提供商边缘(PE)设备。CE和PE之间的链路工作在链路层(例如以太网),称为连接电路(AC)。然后,MPLS 网络建立一条 LSP,充当连接到同一企业的两个网络的两个边缘路由器(即两个 PE)之间的隧道。该隧道可以使用标签堆栈承载多个虚拟通道 (VC)。以与 VLAN 堆叠非常相似的方式,使用多个 MPLS 标签可以实现 VC 的嵌套。

Figure 9.8 depicts key elements in an L2VPN. Customers connect to the provider by means of a Layer 2 device, such as an Ethernet switch; the customer device that connects to the MPLS network is generally referred to as a customer edge (CE) device. The MPLS edge router is referred to as a provider edge (PE) device. The link between the CE and the PE operates at the link layer (for example, Ethernet), and is referred to as an attachment circuit (AC). The MPLS network then sets up an LSP that acts as a tunnel between two edge routers (that is, two PEs) that attach to two networks of the same enterprise. This tunnel can carry multiple virtual channels (VCs) using label stacking. In a manner very similar to VLAN stacking, the use of multiple MPLS labels enables the nesting of VCs.

 
图像

图 9.8 MPLS 第 2 层 VPN 概念

FIGURE 9.8 MPLS Layer 2 VPN Concepts

 

当链路层帧从CE到达PE时,PE创建MPLS数据包。PE 推送与分配给该帧的 VC 相对应的标签。然后,PE 将第二个标签推送到该数据包的标签堆栈上,该标签对应于该 VC 的源 PE 和目标 PE 之间的隧道。然后,使用顶部标签进行标签交换路由,通过与该隧道关联的 LSP 路由数据包。在目的边缘,目的PE弹出隧道标签并检查VC标签。这告诉 PE 如何构造链路层帧以将有效负载传递到目标 CE。

When a link-layer frame arrives at the PE from the CE, the PE creates an MPLS packet. The PE pushes a label that corresponds to the VC assigned to this frame. Then the PE pushes a second label onto the label stack for this packet that corresponds to the tunnel between the source and destination PE for this VC. The packet is then routed across the LSP associated with this tunnel, using the top label for label switched routing. At the destination edge, the destination PE pops the tunnel label and examines the VC label. This tells the PE how to construct a link-layer frame to deliver the payload across to the destination CE.

 

如果 MPLS 数据包的有效负载是以太网帧,则目标 PE 需要能够从 VC 标签推断出出站接口,或许还有 VLAN 标识符。该过程是单向的,对于双向操作将独立重复。

If the payload of the MPLS packet is an Ethernet frame, the destination PE needs to be able to infer from the VC label the outgoing interface, and perhaps the VLAN identifier. This process is unidirectional, and will be repeated independently for bidirectional operation.

 

隧道中的VC可以全部属于一个企业,也可以一个隧道管理多个企业的VC。无论如何,从客户的角度来看,VC 是专用的链路层点对点通道。如果多个VC将一个PE连接到一个CE,这在逻辑上就是客户和提供商之间多个链路层通道的复用。

The VCs in the tunnel can all belong to a single enterprise, or it is possible for a single tunnel to manage VCs from multiple enterprises. In any case, from the point of view of the customer, a VC is a dedicated link-layer point-to-point channel. If multiple VCs connect a PE to a CE, this is logically the multiplexing of multiple link-layer channels between the customer and the provider.

 
三层 MPLS VPN
 

L2VPN 基于链路级地址(例如 MAC 地址)构建,而 L3VPN 基于 CE 之间基于 IP 地址的 VPN 路由。与 L2VPN 一样,基于 MPLS 的 L3VPN 通常使用两个标签的堆栈。内层标签标识具体的VPN实例;外部标签标识通过 MPLS 提供商网络的隧道或路由。隧道标签与LSP关联,用于标签交换和转发。在出口 PE,隧道标签被剥离,VPN 标签用于将数据包引导至正确的 CE 以及该 CE 处的正确逻辑流。

Whereas L2VPNs are constructed based on link-level addresses (for example, MAC addresses), L3VPNs are based on VPN routes between CEs based on IP addresses. As with an L2VPN, an MPLS-based L3VPN typically uses a stack of two labels. The inner label identifies a specific VPN instance; the outer label identifies a tunnel or route through the MPLS provider network. The tunnel label is associated with an LSP and is used for label swapping and forwarding. At the egress PE, the tunnel label is stripped off, and the VPN label is used to direct the packet to the proper CE and to the proper logical flow at that CE.

 

对于L3VPN,CE实现IP,因此是路由器。CE 路由器向提供商通告其网络。然后,提供商网络可以使用增强版本的边界网关协议 (BGP) 在 CE 之间建立 VPN。在提供商网络内部,MPLS 工具用于在支持 VPN 的边缘 PE 之间建立路由。因此,提供商的路由器参与客户的 L3 路由功能。

For an L3VPN, the CE implements IP and is thus a router. The CE routers advertise their networks to the provider. The provider network can then use an enhanced version of Border Gateway Protocol (BGP) to establish VPNs between CEs. Inside the provider network, MPLS tools are used to establish routes between edge PEs supporting a VPN. Thus, the provider’s routers participate in the customer’s L3 routing function.

 

9.4 网络虚拟化

9.4 Network Virtualization

 

本节着眼于网络虚拟化的重要领域。一个直接的困难是该术语在许多学术和行业出版物中的定义不同。因此,我们首先根据 ITU-T Y.3011(未来网络网络虚拟化框架,2012 年 1 月)中的定义定义一些术语:

This section looks at the important area of network virtualization. One immediate difficulty is that this term is defined differently in a number of academic and industry publications. So we begin by defining some terms, based on definitions in ITU-T Y.3011 (Framework of Network Virtualization for Future Networks, January 2012):

 

图像 物理资源:在网络环境中,物理资源包括:网络设备,例如路由器、交换机和防火墙;和通信链路,包括有线和无线。云服务器等主机也可以被视为物理网络资源。

Physical resource: In the context of networking, physical resources include the following: network devices, such as routers, switches, and firewalls; and communication links, including wire and wireless. Hosts such as cloud servers may also be considered as physical network resources.

 

图像 逻辑资源:物理资源的可独立管理的分区,继承了与物理资源相同的特性,其能力与物理资源的能力绑定。一个示例是磁盘内存的命名分区。

Logical resource: An independently manageable partition of a physical resource, which inherits the same characteristics as the physical resource and whose capability is bound to the capability of the physical resource. An example is a named partition of disk memory.

 

图像 虚拟资源:物理或逻辑资源的抽象,其可以具有与物理或逻辑资源不同的特性,并且其能力可以不与物理或逻辑资源的能力绑定。作为示例,虚拟机(VM)可以动态移动,VPN拓扑可以动态改变,并且可以对资源施加访问控制限制。

Virtual resource: An abstraction of a physical or logical resource, which may have different characteristics from the physical or logical resource and whose capability may be not bound to the capability of the physical or logical resource. As examples, virtual machines (VMs) may be moved dynamically, VPN topologies can be altered dynamically, and access control restrictions may be imposed on a resource.

 

图像 虚拟网络:由多个虚拟资源(即虚拟节点和虚拟链路的集合)组成的、逻辑上与其他虚拟网络隔离的网络。Y.3011 将虚拟网络称为逻辑隔离网络分区 (LINP)。

Virtual network: A network composed of multiple virtual resources (that is, a collection of virtual nodes and virtual links) that is logically isolated from other virtual networks. Y.3011 refers to a virtual network as a logically isolated network partition (LINP).

 

图像 网络虚拟化 (NV):一种能够在共享物理网络上创建逻辑隔离的虚拟网络的技术,以便多个虚拟网络的异构集合可以在共享物理网络上同时共存。这包括提供者中多个资源的聚合并显示为单个资源。

Network virtualization (NV): A technology that enables the creation of logically isolated virtual networks over shared physical networks so that heterogeneous collections of multiple virtual networks can simultaneously coexist over the shared physical networks. This includes the aggregation of multiple resources in a provider and appearing as a single resource.

 

NV 是一个比 VPN(仅提供流量隔离)或 VLAN(提供拓扑管理的基本形式)更广泛的概念。NV 意味着在使用的物理资源和虚拟网络提供的功能方面对定制虚拟网络进行全面的管理控制。

NV is a far broader concept than VPNs, which only provide traffic isolation, or VLANs, which provide a basic form of topology management. NV implies full administrative control for customizing virtual networks both in terms of the physical resources used and the functionalities provided by the virtual networks.

 

虚拟网络呈现出一种抽象的网络视图,其虚拟资源为用户提供类似于物理网络所提供的服务。因为虚拟资源是软件定义的,所以虚拟网络的管理者或管理员在改变拓扑、移动资源以及改变各种资源的属性和服务方面可能具有很大的灵活性。此外,虚拟网络用户不仅可以包括服务或应用程序的用户,还可以包括服务提供商。例如,云服务提供商可以根据需要通过租赁虚拟网络来快速添加新服务或扩大覆盖范围。

The virtual network presents an abstracted network view whose virtual resources provide users with services similar to those provided by physical networks. Because the virtual resources are software defined, the manager or administrator of a virtual network potentially has a great deal of flexibility in altering topologies, moving resources, and changing the properties and service of various resources. In addition, virtual network users can include not only users of services or applications but also service providers. For example, a cloud service provider can quickly add new services or expanded coverage by leasing virtual networks as needed.

 

一个简化的例子

A Simplified Example

 

为了了解网络虚拟化所涉及的概念,我们从一个简化的示例开始。图 9.9,改编自电子书《软件定义网络——权威指南》 [ KUMA13],显示了一个由三台服务器和五台交换机组成的网络。一台服务器是一个值得信赖的平台,具有托管防火墙软件的安全操作系统。所有服务器都运行虚拟机管理程序(虚拟机监视器),使它们能够支持多个虚拟机。一个企业(企业 1)的资源跨服务器托管,由物理服务器 1 上的三个虚拟机(VM1a、VM1b 和 VM1c)、物理服务器 2 上的两个虚拟机(VM1d 和 VM1e)以及物理服务器上的防火墙 1 组成3. 虚拟交换机用于通过物理交换机在跨服务器的虚拟机之间建立任何所需的连接。物理交换机提供物理服务器之间的连接。每个企业网络都作为物理网络之上的独立虚拟网络分层。因此,企业 1 的虚拟网络如图 9.9用虚线圆圈表示并标记为 VN1。标记的圆圈VN2表示另一个虚拟网络。

To get some feel for the concepts involved in network virtualization, we begin with a simplified example. Figure 9.9, adapted from the ebook Software Defined Networking—A Definitive Guide [KUMA13], shows a network consisting of three servers and five switches. One server is a trusted platform with a secure operating system that hosts firewall software. All the servers run a hypervisor (virtual machine monitor) enabling them to support multiple VMs. The resources for one enterprise (Enterprise 1) are hosted across the servers and consist of three VMs (VM1a, VM1b, and VM1c) on physical server 1, two VMs (VM1d and VM1e) on physical server 2, and firewall 1 on physical server 3. The virtual switches are used to set up any desired connectivity between the VMs across the servers through the physical switches. The physical switches provide the connectivity between the physical servers. Each enterprise network is layered as a separate virtual network on top of the physical network. Thus, the virtual network for Enterprise 1 is indicated in Figure 9.9 by a dashed circle and labeled VN1. The labeled circle VN2 indicates another virtual network.

 
图像

图 9.9具有分配给不同管理组的虚拟机的简单网络

FIGURE 9.9 Simple Network with Virtual Machines Assigned to Different Administrative Groups

 

此示例说明了三个抽象层(见图9.10)。底层是物理资源,跨一个或多个管理域进行管理。服务器经过逻辑分区以支持多个虚拟机。这至少包括存储器的分区,但也可以包括I/O池和通信端口的分区,甚至服务器的处理器或核心的分区。然后有一个抽象函数将这些物理和逻辑资源映射为虚拟资源。这种类型的抽象可以通过 SDN 和 NFV 功能来实现,并由虚拟资源级别的软件进行管理。

This example illustrates three layers of abstraction (see Figure 9.10). At the bottom are the physical resources, managed across one or more administrative domains. The servers are logically partitioned to support multiple VMs. This includes, at least, a partitioning of memory, but may also include a partitioning of the pool of I/O and communications ports and even of the processors or cores of the server. There is then an abstraction function that maps these physical and logical resources into virtual resources. This type of abstraction could be enabled by SDN and NFV functionality, and is managed by software at the virtual resource level.

 
图像

图 9.10网络虚拟化的抽象级别

FIGURE 9.10 Levels of Abstraction for Network Virtualization

 

另一个抽象函数用于创建组织为不同虚拟网络的网络视图。每个虚拟网络由单独的虚拟网络管理功能进行管理。

Another abstraction function is used to create network views organized as distinct virtual networks. Each virtual network is managed by a separate virtual network management function.

 

由于资源是在软件中定义的,因此网络虚拟化提供了很大的灵活性,如本例所示。虚拟网络1的管理器可以为附接到交换机1的VM和附接到交换机2的VM之间的流量指定某些QoS要求,并且可以为虚拟网络外部的流量指定防火墙规则。这些规范最终必须转化为物理交换机上配置的转发规则和物理防火墙上的过滤规则。因为这一切都是在软件中完成的,并且不需要虚拟网络管理器了解服务器的物理拓扑和物理套件,所以可以轻松实施更改。

Because resources are defined in software, network virtualization provides a great deal of flexibility, as this example suggests. The manager of virtual network 1 may specify certain QoS requirements for traffic between VMs attached to switch 1 and VMs attached to switch 2, and may specify firewall rules for traffic external to the virtual network. These specification must ultimately be translated into forwarding rules configured on the physical switches and filtering rules on the physical firewall. Because it is all done in software and without the need for the virtual network manager to understand the physical topology and physical suite of servers, changes are easily implemented.

 

网络虚拟化架构

Network Virtualization Architecture

 

Y.3011 中定义的概念架构提供了对 NV 环境的许多元素的出色概述,如图9.11所示。该架构将 NV 描述为由四个级别组成:

An excellent overview of the many elements that contribute to an NV environment is provided by the conceptual architecture defined in Y.3011 and shown in Figure 9.11. The architecture depicts NV as consisting of four levels:

 
图像

图 9.11网络虚拟化的概念架构 (Y.3011)

FIGURE 9.11 Conceptual Architecture of Network Virtualization (Y.3011)

 

图像物质资源

Physical resources

 

图像虚拟资源

Virtual resources

 

图像虚拟网络

Virtual networks

 

图像服务

Services

 

单个物理资源可以在多个虚拟资源之间共享。反过来,每个LINP(虚拟网络)又由多个虚拟资源组成,并向用户提供一组服务。

A single physical resource can be shared among multiple virtual resources. In turn, each LINP (virtual network) consists of multiple virtual resources and provides a set of services to users.

 

每个级别都执行各种管理和控制功能,不一定由同一提供商执行。每个物理网络及其相关资源都有相关的管理功能。虚拟资源管理器 (VRM) 管理从物理资源创建的虚拟资源池。VRM 与物理网络管理器 (PNM) 交互以获得资源承诺。VRM构建LINP,并且为每个LINP分配一个LINP管理器。

Various management and control functions are performed at each level, not necessarily by the same provider. There are management functions associated with each physical network and its associated resources. A virtual resource manager (VRM) manages a pool of virtual resources created from the physical resources. A VRM interacts with physical network managers (PNMs) to obtain resource commitments. The VRM constructs LINPs, and an LINP manager is allocated to each LINP.

 

图 9.12提供了 NV 架构元素的另一个视图。物理资源管理对物理资源进行管理,可以创建多个与物理资源具有相同特性的逻辑资源。物理和逻辑资源可在物理层和虚拟层之间的接口处供虚拟资源管理使用。虚拟资源管理从物理资源和逻辑资源中抽象出来,创建虚拟资源。它还可以构建虚拟资源结合其他虚拟资源。虚拟网络管理可以在虚拟资源管理提供的多个虚拟资源上构建VN。VN创建后,VN管理层开始管理自己的VN。

Figure 9.12 provides another view of the NV architectural elements. Physical resource management manages physical resources and may create multiple logical resources that have the same characteristics as physical resources. Physical and logical resources are available to the virtual resource management at the interface between physical and virtual layers. The virtual resource management abstracts from the physical and logical resources to create virtual resources. It can also construct a virtual resource that combines other virtual resources. Virtual network management can build VNs on multiple virtual resources that are provided by the virtual resource management. Once a VN is created, the VN management starts to manage its own VN.

 
图像

图 9.12网络虚拟化资源分层模型

FIGURE 9.12 Network Virtualization Resource Hierarchical Model

 

网络虚拟化的好处

Benefits of Network Virtualization

 

SDxCentral 于 2014 年对 220 个组织(包括网络服务提供商、中小企业 (SMB)、大型企业和云服务提供商)进行了一项调查 [SDNC14],报告了 NV 的以下优势(见图9.13

A 2014 survey [SDNC14] by SDxCentral of 220 organizations, including network service providers, small and medium-size businesses (SMB), large enterprises, and cloud service providers, reported the following benefits of NV (see Figure 9.13):

 
图像

图 9.13报告的网络虚拟化优势

FIGURE 9.13 Reported Benefits of Network Virtualization

 

图像 灵活性: NV 使网络能够快速移动、配置和扩展,以满足虚拟化计算和存储基础设施不断变化的需求。

Flexibility: NV enables the network to be quickly moved, provisioned, and scaled to meet the ever-changing needs of virtualized compute and storage infrastructures.

 

图像 节省运营成本:基础设施虚拟化简化了用于管理网络的运营流程和设备。同样,基础软件可以统一并更容易支持,并使用单个统一的基础设施来管理服务。这种统一的基础设施还允许在不同服务和组件内部以及之间进行自动化和编排。通过一组管理组件,管理员可以协调资源可用性并自动化提供服务所需的程序,从而减少人工操作员管理流程的需要并减少出错的可能性。

Operational cost savings: Virtualization of the infrastructure streamlines the operational processes and equipment used to manage the network. Similarly, base software can be unified and more easily supported, with a single unified infrastructure to manage services. This unified infrastructure also allows for automation and orchestration within and between different services and components. From a single set of management components, administrators can coordinate resource availability and automate the procedures necessary to make services available, reducing the need for human operators to manage the process and reducing the potential for error.

 

图像 敏捷性:可以通过不同的方式尝试对网络拓扑或流量处理方式的修改,而无需修改现有的物理网络。

Agility: Modifications to the network’s topology or how traffic is handled can be tried in different ways, without needing to modify the existing physical networks.

 

图像 可扩展性:通过在可用资源池中添加或删除物理资源,虚拟网络可以快速扩展,以响应不断变化的需求。

Scalability: A virtual network can be rapidly scaled to respond to shifting demands by adding or removing physical resources from the pool of available resources.

 

图像 节省资本成本:虚拟化部署可以减少所需设备的数量,从而节省资本和运营成本。

Capital cost savings: A virtualized deployment can reduce the number of devices needed, providing capital as well as operational costs savings.

 

图像 快速服务配置/上市时间:物理资源可以按需分配到虚拟网络,以便企业内部的资源可以根据不同用户的需求或应用程序的变化而快速转移。从用户的角度来看,可以获取和释放资源,以最大限度地减少系统的利用率需求。新服务需要最少的培训,并且可以在对网络基础设施造成最小干扰的情况下进行部署。

Rapid service provisioning/time to market: Physical resources can be allocated to virtual networks on demand, so that within an enterprise resources can be quickly shifted as demand by different users or applications changes. From a user perspective, resources can be acquired and released to minimize utilization demand on the system. New services require minimal training and can be deployed with minimal disruption to the network infrastructure.

 

图像 设备整合: NV 能够更有效地利用网络资源,从而将设备采购整合为更少、更多的现成产品。

Equipment consolidation: NV enables the more efficient use of network resources, thus allowing for consolidating equipment purchases to fewer, more off-the-shelf products.

 

9.5 OpenDaylight 的虚拟租户网络

9.5 OpenDaylight’s Virtual Tenant Network

 

Virtual Tenant Network (VTN) 是 NEC 开发的 OpenDaylight (ODL) 插件。它使用 VLAN 技术在 SDN 上提供多租户虚拟网络。VTN抽象功能使用户能够在不了解物理网络拓扑或带宽限制的情况下设计和部署虚拟网络。VTN 允许用户定义具有传统外观和感觉的网络L2/L3(LAN 交换机/IP 路由器)网络。一旦在VTN上设计网络,它就会自动映射到底层物理网络,然后利用SDN控制协议在各个交换机上进行配置。

Virtual Tenant Network (VTN) is an OpenDaylight (ODL) plug-in developed by NEC. It provides multitenant virtual networks on an SDN, using VLAN technology. The VTN abstraction functionality enables users to design and deploy a virtual network without knowing the physical network topology or bandwidth restrictions. VTN allows the users to define the network with a look and feel of a conventional L2/L3 (LAN switch/IP router) network. Once the network is designed on VTN, it is automatically mapped onto the underlying physical network, and then configured on the individual switches leveraging the SDN control protocol.

 

VTN 由两个组件组成(参见第 5 章SDN 控制平面”中的图 5.6):

VTN consists of two components (see Figure 5.6 in Chapter 5, “SDN Control Plane”):

 

图像 VTN Manager: ODL控制器插件,与其他模块交互以实现VTN模型的组件。它还提供一个 REST 接口来配置控制器中的 VTN 组件。

VTN Manager: An ODL controller plug-in that interacts with other modules to implement the components of the VTN model. It also provides a REST interface to configure VTN components in the controller.

 

图像 VTN协调器:为用户提供REST接口以实现VTN虚拟化的外部应用程序。它与VTN Manager插件交互以实现用户配置。它还能够进行多个控制器编排。

VTN Coordinator: An external application that provides a REST interface to users for VTN virtualization. It interacts with VTN Manager plug-in to implement the user configuration. It is also capable of multiple controller orchestration.

 

表 9.1显示了构建虚拟网络的构建块的元素。虚拟网络是使用虚拟节点(vBridge、vRouter)以及虚拟接口和链路构建的。通过通过虚拟链路连接在虚拟节点上制作的虚拟接口,可以配置具有L2和L3传输功能的网络。

Table 9.1 shows the elements that are building blocks for constructing a virtual network. A virtual network is constructed using virtual nodes (vBridge, vRouter) and virtual interfaces and links. It is possible, by connecting the virtual interfaces made on virtual nodes via virtual links, to configure a network that has L2 and L3 transfer function.

 
图像

表 9.1虚拟租户网络元素

TABLE 9.1 Virtual Tenant Network Elements

 

图9.14的上半部分是一个虚拟网络示例。VRT 定义为 vRouter,BR1 和 BR2 定义为 vBridge。vRouter和vBridge的接口通过vLink连接。一旦 VTN Manager 用户定义了虚拟网络中,VTN协调器将物理网络资源映射到构建的虚拟网络中。映射标识 OpenFlow 交换机发送或接收的每个数据包属于哪个虚拟网络,以及 OpenFlow 交换机中的哪个接口发送或接收该数据包。映射方法有两种:

The upper part of Figure 9.14 is a virtual network example. VRT is defined as the vRouter, and BR1 and BR2 are defined as vBridges. Interfaces of the vRouter and vBridges are connected using vLinks. Once a user of VTN Manager has defined a virtual network, the VTN Coordinator maps physical network resources to the constructed virtual network. Mapping identifies which virtual network each packet transmitted or received by an OpenFlow switch belongs to, as well as which interface in the OpenFlow switch transmits or receives that packet. There are two mapping methods:

 
图像

图 9.14 VTN 映射示例

FIGURE 9.14 VTN Mapping Example

 

图像 端口映射:该映射方法用于将物理端口映射为虚拟节点(vBridge/vTerminal)的接口。当预先知道网络拓扑时,会启用端口映射。

Port mapping: This mapping method is used to map a physical port as an interface of virtual node (vBridge/vTerminal). Port-map is enabled when the network topology is known in advance.

 

图像 VLAN 映射:此映射方法用于将传入第 2 层帧中的 VLAN 标记的 VLAN ID 映射到 vBridge。当附属网络及其 VLAN 标记已知时,使用此映射。无论何时使用这种映射方法,都可以减少要设置的命令的数量。

VLAN mapping: This mapping method is used to map VLAN ID of VLAN tag in incoming Layer 2 frame with the vBridge. This mapping is used when the affiliated network and its VLAN tag are known. Whenever this mapping method is used, it is possible to reduce the number of commands to be set.

 

图 9.14显示了一个映射示例。BR1的接口映射到OpenFlow交换机SW1的端口。从该SW1端口收到的数据包被视为来自BR1相应接口的数据包。使用port-map将 vBridge (BR1) 的接口 if1 映射到 switch1 的端口 GBE0/1 。switch1的GBE0/1接收或发送的报文均视为来自或发往vBridge的if1接口的报文。使用vlan-map将 vBridge BR2 映射到 VLAN 200 。网络中任意交换机端口接收或发送的VLAN ID为200的报文都会映射到vBridge BR2上。

Figure 9.14 shows a mapping example. An interface of BR1 is mapped to a port on OpenFlow switch SW1. Packets received from that SW1 port are regarded as those from the corresponding interface of BR1. The interface if1 of vBridge (BR1) is mapped to the port GBE0/1 of switch1 using port-map. Packets received or transmitted by GBE0/1 of switch1 are considered as those from or to the interface if1 of vBridge. vBridge BR2 is mapped to VLAN 200 using vlan-map. Packets having the VLAN ID of 200 received or transmitted by the port of any switch in the network are mapped to the vBridge BR2.

 

VTN 提供定义和管理虚拟网络中的流量的功能。与 OpenFlow 一样,流是根据数据包中各个字段的值来定义的。可以使用以下字段之一或组合来定义流:

VTN provides the capability to define and manage traffic flows across a virtual network. As with OpenFlow, flows are defined based on the value of various fields in packets. A flow can be defined using one or a combination of the following fields:

 

图像源MAC地址

Source MAC Address

 

图像目的MAC地址

Destination MAC Address

 

图像以太网类型

Ethernet Type

 

图像VLAN优先级

VLAN Priority

 

图像源IP地址

Source IP Address

 

图像目的IP地址

Destination IP Address

 

图像IP版本

IP Version

 

图像 差异化服务代码点 (DSCP)

Differentiated Services Codepoint (DSCP)

 

图像TCP/UDP 源端口

TCP/UDP Source Port

 

图像TCP/UDP 目标端口

TCP/UDP Destination Port

 

图像ICMP 类型

ICMP Type

 

图像ICMP 代码

ICMP Code

 

表 9.2概述了可应用于与流过滤器条件匹配的数据包的操作类型。

Table 9.2 outlines the types of Action that can be applied on packets that match the Flow Filter conditions.

 
图像

表 9.2虚拟租户流过滤器操作

TABLE 9.2 Virtual Tenant Flow Filter Actions

 

VTN整体架构如图9.15所示。VTN管理器是OpenDaylight控制器的一部分,使用基本网络服务功能来了解底层网络的拓扑和统计数据。用户或应用程序创建虚拟网络并通过 Web 或 REST 界面向 VTN 协调器指定网络行为。VTN 协调器将这些命令转换为 VTN 管理器的详细指令,VTN 管理器又使用 OpenFlow 将虚拟网络映射到物理网络基础设施。

Figure 9.15 shows the overall architecture of VTN. The VTN Manager is part of the OpenDaylight controller and uses base network service functions to learn the topology and statistics of the underlying network. A user or application creates virtual networks and specifies network behavior to the VTN Coordinator across a web or REST interface. The VTN Coordinator translates these commands into detailed instructions to the VTN Manager, which in turn uses OpenFlow to map virtual networks to the physical network infrastructure.

 
图像

图 9.15 OpenDaylight VTN 架构

FIGURE 9.15 OpenDaylight VTN Architecture

 

9.6 软件定义基础设施

9.6 Software-Defined Infrastructure

 

近年来,企业和运营商的数据中心、云计算设施和网络基础设施的复杂性呈爆炸式增长。解决这种复杂性挑战的新兴设计理念是软件定义基础设施 (SDI)。借助 SDI,数据中心或网络基础设施可以根据应用程序/业务需求和运营商限制在运行时自动配置自身。SDI 中的自动化使基础设施运营商能够更好地遵守 SLA,避免过度配置,并实现安全和其他网络相关功能的自动化。

Recent years have seen explosive growth in the complexity of data centers, cloud computing facilities, and network infrastructures for enterprises and carriers. An emerging design philosophy to address the challenges of this complexity is software-defined infrastructure (SDI). With SDI, a data center or network infrastructure can autoconfigure itself at run time based on application/business requirements and operator constraints. Automation in SDIs enables infrastructure operators to achieve higher conformance to SLAs, avoid overprovisioning, and automate security and other network-related functions.

 

SDI 的另一个关键特征是它是高度应用驱动的。应用程序的变化往往比支持它们的生态系统(硬件、系统软件、网络)慢得多。个人和企业长期使用选定的应用程序,同时快速更换硬件和其他基础设施元素。因此,如果整个基础设施都是软件定义的,从而能够应对基础设施技术的快速变化,那么提供商就处于优势。

Another key characteristic of SDI is that it is highly application driven. Applications tend to change much more slowly than the ecosystem (hardware, system software, networks) that supports them. Individuals and enterprises stay with chosen applications for long periods of time, whereas they replace the hardware and other infrastructure elements at a fast pace. So, providers are at an advantage if the entire infrastructure is software defined and thus able to cope with rapid changes in infrastructure technology.

 

SDN和NFV是SDI的关键使能技术。SDN 为网络控制系统提供了动态引导和配置网络资源的灵活性。NFV 将网络功能虚拟化为预打包的软件服务,可以轻松部署在云或网络基础设施环境中。因此,现在可以动态配置服务部署及其网络服务,而不是硬编码;然后流量通过软件服务进行引导,从而显着提高了这些服务配置的敏捷性。尽管 SDN 和 NFV 是 SDI 的必要组件,但它们本身并不能提供可以生成或推荐可自动实施的所需配置的智能。所以,

SDN and NFV are the key enabling technologies for SDI. SDN provides network control systems with the flexibility to steer and provision network resources dynamically. NFV virtualizes network functions as prepackaged software services that are easily deployable in a cloud or network infrastructure environment. So instead of hard-coding a service deployment and its network services, these can now be dynamically provisioned; traffic is then steered through the software services, significantly increasing the agility with which these are provisioned. Although SDN and NFV are necessary components of an SDI, they do not by themselves provide the intelligence that can generate or recommend the required configuration that can then be automatically implemented. Therefore, we can think of SDN and NFV as providing a platform for deploying SDI-enabling software.

 

Pott 最近发表的一篇论文 [ POTT14 ] 列出了以下 SDI 产品的一些关键特性:

A recent paper by Pott [POTT14] lists the following as some of the key features of an SDI offering:

 

图像具有完全内联重复数据删除和压缩功能的分布式存储资源。

Distributed storage resources with fully inline data deduplication and compression.

 

图像完全自动化和集成的备份,具有应用程序感知功能,具有自动配置和自动测试功能。新一代将尽可能接近“零接触”。

Fully automated and integrated backups that are application aware, with autoconfiguring and autotesting. This new generation will be as close to “zero touch” as is possible.

 

图像完全自动化和集成的灾难恢复,具有应用程序感知功能,具有自动配置和自动测试功能。新一代将尽可能接近“零接触”。

Fully automated and integrated disaster recovery that is application aware, with autoconfiguring and autotesting. This new generation will be as close to “zero touch” as is possible.

 

图像完全集成的混合云计算,公共云中的资源像本地一样轻松使用。根据成本、数据主权要求或延迟/位置需求在多个云提供商之间移动的能力。想要赢得混合云部分演习的提供商将建立隐私和安全意识,并允许管理员不仅可以轻松选择地理本地提供商,还可以轻松选择那些已知具有零外国法律攻击面的提供商,并且他们将明确区分它们。

Fully integrated hybrid cloud computing, with resources in the public cloud consumed as easily as local. The ability to move between multiple cloud providers, based on cost, data sovereignty requirements, or latency/locality needs. The providers that want to win the hybrid cloud portion of the exercise will build in awareness of privacy and security and allow administrators to easily select not only geolocal providers, but those known to have zero foreign legal attack surface, and they will clearly differentiate between them.

 

图像广域网优化技术。

WAN optimization technology.

 

图像在金属上运行的虚拟机管理程序或虚拟机管理程序/容器混合体。

A hypervisor or hypervisor/container hybrid running on the metal.

 

图像管理软件允许管理员管理硬件和虚拟机管理程序。

Management software to allow administrators to manage the hardware and the hypervisor.

 

图像自适应监控软件将检测新的应用程序和操作系统并自动正确监控它们。自适应监控不需要手动配置。

Adaptive monitoring software that will detect new applications and operating systems and automatically monitor them properly. Adaptive monitoring will not require manual configuration.

 

图像预测分析软件将确定资源何时会超出容量、硬件何时可能出现故障,或者何时无法再解决许可问题。

Predictive analytics software that will determine when resources will exceed capacity, when hardware is likely to fail, or when licensing can no longer be worked around.

 

图像自动化和负载最大化软件将确保在现有硬件和现有许可限制的情况下,硬件和软件组件能够发挥最大容量。

Automation and load maximization software that will make sure the hardware and software components are used to their maximum capacity, given the existing hardware and existing licensing bounds.

 

图像编排软件不仅可以按需启动应用程序组,而且可以提供类似“App Store”的体验,只需单击几下即可选择新工作负载并在本地基础设施上启动并运行它们。

Orchestration software that will not only spin up groups of applications on demand or as needed, but will provide an “App Store”-like experience for selecting new workloads and getting them up and running on your local infrastructure in just a couple of clicks.

 

图像自动突发作为编排的辅助手段,将智能地决定是向旧工作负载(CPU、RAM 等)热添加容量,还是启动现代可突发应用程序的新实例来处理负载。当然,如果可能的话,它会缩小规模。

Autobursting, as an adjunct of orchestration, will intelligently decide between hot-adding capacity to legacy workloads (CPU, RAM, and so on) or spinning up new instances of modern burstable applications to handle load. It would, of course, scale them back down when possible.

 

图像跨私有基础设施和公共云空间工作的混合身份服务。他们不仅会管理身份,还会提供可在任何地方使用的完整用户体验管理解决方案。

Hybrid identity services that work across private infrastructure and public cloud spaces. They will not only manage identity but also provide complete user experience management solutions that work anywhere.

 

图像完整的软件定义网络堆栈,包括数据中心以及公共云和私有云之间的第 2 层扩展。这意味着启动工作负载将自动配置网络、防火墙、入侵检测、应用层网关、镜像、负载平衡、内容分发网络注册、证书等。

Complete software-defined networking stack, including Layer 2 extension between data centers as well as the public and private cloud. This means that spinning up a workload will automatically configure networking, firewalls, intrusion detection, application layer gateways, mirroring, load balancing, content distribution network registration, certificates, and so forth.

 

图像以随机自动化测试的形式创建混乱,测试所有非传统工作负载和基础设施元素的故障,以确保网络仍然满足要求。

Chaos creation in the form of randomized automated testing for failure of all nonlegacy workloads and infrastructure elements to ensure that the network still meets requirements.

 

软件定义存储

Software-Defined Storage

 

如前所述,SDN 和 NFV 是 SDI 的关键要素。第三个同样重要的元素是被称为软件定义存储(SDS)的新兴技术。SDS 是一个用于管理数据中心内传统上不统一的各种存储系统的框架。SDS 提供了管理这些存储资产以满足特定 SLA 并支持各种应用程序的能力。SDS 的主要物理架构基于分布式存储,存储设备分布在网络上。

As mentioned, SDN and NFV are key elements of SDI. A third, equally important element is the emerging technology known as software-defined storage (SDS). SDS is a framework for managing a variety of storage systems in the data center that are traditionally not unified. SDS provides the ability to manage these storage assets to meet specific SLAs and to support a variety of applications. The dominant physical architecture for SDS is based on distributed storage, with storage devices distributed across a network.

 

图 9.16说明了典型 SDS 架构的主要元素。物理存储由许多磁性和固态磁盘阵列组成,可能来自多个供应商。与该物理存储平面分开的是一套统一的控制软件。这必须包括能够与各种供应商设备连接并控制和监视该设备的适配逻辑。在这个适配层之上是一些基本的存储服务。应用程序接口提供数据存储的抽象视图,以便应用程序无需关心各个存储系统的位置、属性或容量。还有一个管理界面,使 SDS 管理员能够管理分布式存储套件。

Figure 9.16 illustrates the main elements of a typical SDS architecture. Physical storage consists of a number of magnetic and solid-state disk arrays, possibly from multiple vendors. Separate from this physical storage plane is a unified set of control software. This must include adaptation logic that can interface with a variety of vendor equipment and controlling and monitoring that equipment. On top of this adaptation layer are a number of basic storage services. An application interface provides an abstracted view of data storage so that applications need not be concerned with the location, attributes, or capacity of individual storage systems. There is also an administrative interface to enable the SDS administrator to manage the distributed storage suite.

 
图像

图 9.16软件定义的存储架构

FIGURE 9.16 Software-Defined Storage Architecture

 

SDS 将重点放在存储服务而不是存储硬件上。通过将存储控制软件与硬件解耦,可以更有效地使用存储资源并简化其管理。例如,存储管理员在决定如何配置存储时可以使用 SLA,而无需考虑特定的硬件属性。本质上,资源被聚合到分配给用户的存储池中。应用数据服务来满足用户或应用程序的需求,并维持服务水平。当应用程序需要额外资源时,存储控制软件会自动添加资源。相反,资源在不使用时会被释放。存储控制软件会自动删除发生故障的组件和发生故障的系统。

SDS puts the emphasis on storage services instead of storage hardware. By decoupling the storage control software from the hardware, a storage resource can be used more efficiently and its administration simplified. For example, a storage administrator can use SLAs when deciding how to provision storage without needing to consider specific hardware attributes. In essence, resources are aggregated into storage pools assigned to users. Data services are applied to meet user or application requirements, and service levels are maintained. When additional resources are needed by an application, the storage control software automatically adds the resources. Conversely, resources are freed up when not in use. The storage control software automatically removes failed components and systems that fail.

 

SDI架构

SDI Architecture

 

包括 IBM、Cisco、Intel 和 HP 在内的许多公司已经生产或正在开发 SDI 产品。SDI 没有标准化的规范,并且不同的举措存在许多差异。尽管如此,不同的努力之间的整体 SDI 架构非常相似。一个典型的例子就是Intel定义的SDI架构。该架构分为三层,如图9.17所示并在下面的列表中进行了描述。

A number of companies, including IBM, Cisco, Intel, and HP, either have produced or are working on SDI offerings. There is no standardized specification for SDI, and there are numerous differences in the different initiatives. Nevertheless, the overall SDI architecture is quite similar among the different efforts. A typical example is the SDI architecture defined by Intel. This architecture is organized into three layers, as illustrated in Figure 9.17 and described in the list that follows.

 
图像

图 9.17 Intel 的 3 层 SDI 模型

FIGURE 9.17 Intel’s 3-Layer SDI Model

 

编排:一种策略引擎,允许更高级别的框架动态管理组合,而不会中断正在进行的操作。

Orchestration: A policy engine that allows higher level frameworks to manage composition dynamically without interrupting ongoing operations.

 

组合:系统软件的低层,持续自动管理硬件资源池。

Composition: A low-level layer of system software that continually and automatically manages the pool of hardware resources.

 

硬件池:模块化硬件资源的抽象池。

Hardware pool: An abstracted pool of modular hardware resources.

 

编排层驱动架构。该层关注高效配置或资源,同时满足应用服务需求。英特尔最初的重点似乎是云提供商,但其他应用领域,例如大数据和其他数据中心应用程序,也适合 SDI 方法。该层持续监控状态数据,使其能够更快地解决服务问题并持续优化硬件资源分配。

The orchestration layer drives the architecture. This layer is concerned with efficient configuration or resources while at the same time meeting application service requirements. Intel’s initial focus appears to be on cloud providers, but other application areas, such as big data and other data center applications, lend themselves to the SDI approach. This layer continually monitors status data, enabling it to solve service issues faster and to continually optimize hardware resource assignment.

 

组合层是管理虚拟机、存储和网络资产的控制层。在此架构中,VM 被视为计算、存储和网络资源的动态联合,这些资源被组装起来运行应用程序实例。尽管当前的虚拟机技术比使用非虚拟化服务器提供了一定程度的灵活性并节省了成本,但效率仍然相当低。供应商倾向于调整系统规模以满足虚拟机可能施加的最大需求,从而过度配置以保证服务。通过软件定义的资源分配,可以在创建、配置、管理、移动和淘汰虚拟机方面提供更大的灵活性。同样,SDS 提供了更有效地使用存储的机会。

The composition layer is a control layer that manages VMs, storage, and network assets. In this architecture, the VM is seen as a dynamic federation of compute, storage, and network resources assembled to run an application instance. Although current VM technology provides a level of flexibility and cost savings over the use of nonvirtualized servers, there is still considerable inefficiency. Suppliers tend to size systems to meet the maximum demand that a VM might impose and hence overprovision so as to guarantee service. With software-defined allocation of resources, more flexibility is available in creating, provisioning, managing, moving, and retiring VMs. Similarly, SDS provides the opportunity to use storage more efficiently.

 

组合可以对计算、网络和存储资源进行逻辑分解,以便每个虚拟机都能准确提供应用程序所需的内容。在硬件层面支持这一点的是英特尔的机架规模架构(RSA)。RSA 利用极高数据速率的光学连接组件来重新设计计算机机架系统的实施方式。在 RSA 设计中,硅互连的速度意味着各个组件(处理器、内存、存储和网络)不再需要驻留在同一个盒子中。单独的机架可以专用于每个组件类别,并可以进行扩展以满足数据中心的需求。

Composition enables the logical disaggregation of compute, network, and storage resources, so that each VM provides exactly what an application needs. Supporting this at the level of the hardware is Intel’s rack scale architecture (RSA). RSA exploits extremely high data rate optical connection components to redesign the way computer rack systems are implemented. In an RSA design, the speed of the silicon interconnects means that individual components (processors, memory, storage, and network) no longer need to reside in the same box. Individual racks can be dedicated to each of the component classes and scaled to meet the demands of the data center.

 

图 9.18提供了 Intel SDI 架构的另一个视图,一般来说,它是其他组织的 SDI 架构的典型。资源池由存储、网络、计算资源组成。从硬件角度来看,这些可以部署在 RSA 中。从控制角度来看,SDS、SDN和NFV技术可以通过整体SDI框架来管理这些资源。

Figure 9.18 provides another view of Intel’s SDI architecture, which is in general terms typical of SDI architectures from other organizations. The resource pool consists of storage, network, and compute resources. From a hardware perspective, these can be deployed in an RSA. From a control perspective, SDS, SDN, and NFV technologies enable the management of these resources with an overall SDI framework.

 
图像

图 9.18 Intel 的 SDI 架构

FIGURE 9.18 Intel’s SDI Architecture

 

9.7 关键术语

9.7 Key Terms

 

完成本章后,您应该能够定义以下术语。

After completing this chapter, you should be able to define the following terms.

 

广播寻址

broadcast addressing

 

广播域

broadcast domain

 

重复数据删除

data deduplication

 

差异化服务代码点 (DSCP)

differentiated services codepoint (DSCP)

 

IEEE 802.3

IEEE 802.3

 

IP 安全 (IPsec)

IP security (IPsec)

 

局域网交换机

LAN switch

 

逻辑资源

logical resource

 

MAC帧

MAC frame

 

网络虚拟化

network virtualization

 

物理资源

physical resource

 

软件定义基础设施 (SDI)

software-defined infrastructure (SDI)

 

软件定义存储 (SDS)

software-defined storage (SDS)

 

单播寻址

unicast addressing

 

虚拟局域网(VLAN)

virtual LAN (VLAN)

 

虚拟网络

virtual network

 

虚拟专用网络 (VPN)

virtual private network (VPN)

 

虚拟资源

virtual resource

 

虚拟租户网络 (VTN)

Virtual Tenant Network (VTN)

 

9.8 参考文献

9.8 References

 

KUMA13 Kumar, R. 软件定义网络 — 权威指南。Smashwords.com,2013 年。

KUMA13: Kumar, R. Software Defined Networking—a Definitive Guide. Smashwords.com, 2013.

 

POTT14 Pott, T.“SDI 战争:软件定义中心基础设施是什么鬼?” 《登记册》,2014 年 10 月 17 日。http ://www.theregister.co.uk/2014/10/17/sdi_wars_what_is_software_define_infrastruct/

POTT14: Pott, T. “SDI Wars: WTF Is Software Defined Center Infrastructure?” The Register, October 17, 2014. http://www.theregister.co.uk/2014/10/17/sdi_wars_what_is_software_defined_infrastructure/

 

SDNC14 SDN 中心。SDNCentral 网络虚拟化报告,2014 年版,2014 年。

SDNC14: SDNCentral. SDNCentral Network Virtualization Report, 2014 Edition, 2014.

 

第四部分:定义和支持用户需求

Part IV: Defining and Supporting User Needs

 

我们开始理解,或者至少认识到,在处理具有不同重要性级别的竞争用户的通信系统中,时间延迟和过载现象的原因。我们有理由希望有一天我们能够实现高度复杂的优先级系统的自动化。这样的系统甚至可能非常有效,可以提供相当于经过实践判断的操作。

We are beginning to understand, or at least to appreciate, the cause of time delays and overloading phenomena in communication systems handling competing users with different levels of importance. There is a basis for hope that one day we may be able to automate highly sophisticated priority systems. Such systems may even be so effective as to provide the operational equivalent of exercised judgment.

 

—论分布式通信,分布式通信网络简介,报告 RM-3420-PR,Paul Baran,1964 年 8 月

—On Distributed Communications, Introduction to Distributed Communications Networks, Report RM-3420-PR, Paul Baran, August 1964

 

第 10 章:服务质量

CHAPTER 10: Quality of Service

 

第 11 章: QoE:用户体验质量

CHAPTER 11: QoE: User Quality of Experience

 

第 12 章: QoS 和 QoE 的网络设计含义

CHAPTER 12: Network Design Implications of QoS and QoE

 

任何复杂的共享网络架构的接受和成功的基础是它满足用户对性能的期望。传统上,定义预期性能、测量预期性能、提供预期性能以及签订明确的相关协议的方法是服务质量 (QoS) 的概念。QoS 仍然是任何网络设计中的重要组成部分。第 10 章概述了 QoS 概念和标准。最近,QoS 已通过体验质量 (QoE) 的概念得到增强,这与交互式视频和多媒体网络流量尤其相关。第 11 章概述了 QoE,并讨论了实施 QoE 机制的许多实际问题。第12章进一步研究结合使用 QoS 和 QoE 对网络设计的影响。

Fundamental to the acceptance and success of any complex shared networking architecture is that it meets users expectations for performance. Traditionally, the means of defining expected performance, measuring it, providing it, and entering into well-defined agreements relating to it has been the concept of quality of service (QoS). QoS remains an essential ingredient in any network design. Chapter 10 provides an overview of QoS concepts and standards. Recently, QoS has been augmented with the concept of quality of experience (QoE), which is particularly relevant to interactive video and multimedia network traffic. Chapter 11 provides an overview of QoE and discusses a number of practical aspects of implementing QoE mechanisms. Chapter 12 looks further into the network design implications of the combined use of QoS and QoE.

 

第 10 章服务质量

Chapter 10. Quality of Service

 

在所考虑的方案中,优先级是每时每刻自动确定的,适用于网络中的所有流量。优先级计算为以下因素的复合函数: (1) 网络接受额外流量的能力;(2) 每个用户的“重要性”及其流量的“效用”;(3) 每种输入传输介质或所使用的传感器的数据速率;(4) 传输业务的可容忍延迟时间。

In the schemes considered, precedence is determined moment-by-moment, automatically for all traffic in the network. Precedence is computed as a composite function of: (1) the ability of the network to accept additional traffic; (2) the “importance” of each user and the “utility” of his traffic; (3) the data rate of each input transmission medium or the transducer used; and (4) the tolerable delay time for delivery of the traffic.

 

《论分布式通信:优先级、优先级和过载》,

Rand 报告 RM-3638-PR,Paul Baran,1964 年 8 月

On Distributed Communications: Priority, Precedence, and Overload,

Rand Report RM-3638-PR, Paul Baran, August 1964

 

本章目标 学习完本章后,您应该能够

 

图像描述 ITU-T QoS 架构框架。

 

图像总结集成服务架构的关键概念。

 

图像比较和对比弹性和非弹性流量。

 

图像解释差异化服务的概念。

 

图像了解服务级别协议的使用。

 

图像描述 IP 性能指标。

 

图像概述 OpenFlow QoS 支持。

 

Chapter Objectives: After studying this chapter, you should be able to

 

Describe the ITU-T QoS architectural framework.

 

Summarize the key concepts of the Integrated Services Architecture.

 

Compare and contrast elastic and inelastic traffic.

 

Explain the concept of differentiated services.

 

Understand the use of service level agreements.

 

Describe IP performance metrics.

 

Present an overview of OpenFlow QoS support.

 
 

互联网和基于 IP 的企业网络的数据流量和种类继续快速增长。云计算、大数据、移动设备在企业网络上的普遍使用以及视频流使用的增加都导致维持令人满意的网络性能变得越来越困难。衡量企业希望实现的网络性能的两个关键工具是服务质量 (QoS) 和体验质量 (QoE)。正如第 2 章要求和技术”中所讨论的QoS是网络服务可测量的端到端性能属性,可以通过用户和服务提供商之间的服务级别协议(SLA)提前保证,以满足特定的客户应用需求。QoE 是用户报告的主观性能衡量标准。与可以精确测量的 QoS 不同,QoE 依赖于人的意见。

The Internet and enterprise IP-based networks continue to see rapid growth in the volume and variety of data traffic. Cloud computing, big data, the pervasive use of mobile devices on enterprise networks, and the increasing use of video streaming all contribute to the increasing difficulty in maintaining satisfactory network performance. Two key tools in measuring the network performance that an enterprise desires to achieve are quality of service (QoS) and quality of experience (QoE). As is discussed in Chapter 2, “Requirements and Technology,” QoS is the measurable end-to-end performance properties of a network service, which can be guaranteed in advance by a service level agreement (SLA) between a user and a service provider, so as to satisfy specific customer application requirements. QoE is a subjective measure of performance as reported by the user. Unlike QoS, which can be precisely measured, QoE relies on human opinion.

 

QoS 和 QoE 使网络管理员能够确定网络是否满足用户需求,并诊断需要调整网络管理和网络流量控制的问题区域。本章详细介绍 QoS。第 11 章QoE:用户体验质量”和第 12 章QoS 和 QoE 的网络设计含义”研究 QoE、QoS 和 QoE 之间的关系以及 QoE/QoS 架构的设计含义。

QoS and QoE enable the network manager to determine whether the network is meeting user needs and to diagnose problem areas that require adjustment to network management and network traffic control. This chapter looks in some detail at QoS. Chapter 11, “QoE: User Quality of Experience,” and Chapter 12, “Network Design Implications of QoS and QoE,” examine QoE, the relationship between QoS and QoE, and the design implications of a QoE/QoS architecture.

 

强烈需要能够在基于 IP 的网络上支持具有各种 QoS 要求的各种流量。本章首先介绍总体 QoS 架构,该架构描述了为满足这一需求而设计的互联网络功能和服务。接下来,本章着眼于集成服务架构(ISA),它为当前和未来的互联网服务提供了一个框架。然后我们研究差异化服务的关键概念。本章最后介绍了 SLA 和 IP 性能指标主题。

There is a strong need to be able to support a variety of traffic, with a variety of QoS requirements, on IP-based networks. This chapter begins with a look at an overall QoS architecture, which describes internetwork functions and services designed to meet this need. Next, the chapter looks at the Integrated Services Architecture (ISA), which provides a framework for current and future Internet services. We then examine the key concept of differentiated services. The chapter concludes with an introduction to the topics of SLAs and IP performance metrics.

 

您可能会发现此时查看第 2.1 节网络和 Internet 流量类型”很有用,该节回顾了各种类型的流量及其 QoS 要求。

You might find it useful at this point to review Section 2.1, “Types of Network and Internet Traffic,” which reviews various types of traffic and their QoS requirements.

 

10.1 背景

10.1 Background

 

从历史上看,互联网和其他基于 IP 的网络提供了尽力而为的交付服务。这意味着网络尝试以相同的可用性和优先级将其资源分配给所有流量,而不考虑应用程序优先级、流量模式和负载以及客户要求。为了保护网络免于拥塞崩溃并保证某些流不会排挤其他流,引入了拥塞控制机制,这往往会限制消耗过多资源的流量。

Historically, the Internet and other IP-based networks provided a best effort delivery service. This means that the network attempts to allocate its resources with equal availability and priority to all traffic flows, with no regard for application priorities, traffic patterns and load, and customer requirements. To protect the network from congestion collapse and to guarantee that some flows do not crowd out other flows, congestion control mechanisms were introduced, which tended to throttle traffic that consumed excessive resources.

 

TCP 拥塞控制机制是最重要的拥塞控制技术之一,很早就引入并仍在广泛使用。TCP 拥塞控制已经变得越来越复杂和先进,但还是值得简要总结一下这里涉及的原理。对于网络上两个端系统之间的每个 TCP 连接,在每个方向上,都使用称为滑动窗口的概念。连接上的 TCP 段按顺序编号。发送和接收 TCP 实体维护一个窗口或缓冲区,它定义了可以传输的序列编号段的范围。当数据段到达并由接收者处理时,接收方返回一个确认,指示已接收到哪些段,并向发送方隐式指示序列号窗口已前进以允许发送更多段。发送方使用各种算法根据确认的往返延迟以及是否收到特定段的确认来推断连接上的拥塞量。当检测到拥塞时,发送 TCP 实体会减少其数据段传输,以帮助缓解干预网络上的拥塞。

One of the most important congestion control techniques, introduced early on and still in wide use, is the TCP congestion control mechanism. TCP congestion control has become increasingly complex and sophisticated, but it is worth briefly summarizing the principles involved here. For each TCP connection between two end systems across a network, in each direction, a concept known as sliding window is used. TCP segments on a connection are numbered sequentially. The sending and receiving TCP entities maintain a window, or buffer, that defines the range of sequence numbered segments that may be transmitted. As segments arrive and are processed by the receiver, the receiver returns an acknowledgment indicating which segments have been received and implicitly indicated to the sender that the window of sequence numbers has advanced to allow more segments to be sent. Various algorithms are used by the sender to deduce the amount of congestion on a connection based on the round-trip delay for acknowledgments plus whether an acknowledgment is even received for a particular segment. As congestion is detected, the sending TCP entity reduces its transmission of segments to help ease congestion on the intervening network.

 

如果 Internet 上的所有 TCP 连接都符合拥塞控制机制,TCP 就能正常工作。如果某些连接代表“自私”应用程序忽略拥塞控制规则并尝试尽快发送数据段,则该方案的效果较差。

TCP can work well if all the TCP connections across an Internet conform to the congestion control mechanism. The scheme is less effective if some connections, on behalf of “selfish” applications, ignore the congestion control rules and attempt to send segments as rapidly as possible.

 

尽管 TCP 拥塞控制和其他网络拥塞控制技术可以降低过度拥塞的风险,但这些技术并不能直接解决 QoS 要求。随着流量强度和种类的增加,开发了各种 QoS 机制,包括集成服务架构 (ISA) 和差异化服务 (DiffServ),并附有服务级别协议 (SLA),以便为不同客户提供的服务是可调的且在某种程度上是可预测的。这些机制和服务有两个目的:

Although TCP congestion control and other network congestion control techniques can reduce the risk of excessive congestion, these techniques do not directly address QoS requirements. As the intensity and variety of traffic increased, various QoS mechanisms were developed, including Integrated Services Architecture (ISA) and differentiated services (DiffServ), accompanied by service level agreements (SLAs) so that the service provided to various customers was tunable and somewhat predictable. These mechanisms and services serve two purposes:

 

图像高效配置网络资源,最大化有效容量

Allocate network resources efficiently so as to maximize effective capacity

 

图像使网络能够根据客户的需求为客户提供不同级别的QoS

Enable networks to offer different levels of QoS to customers on the basis of customer requirements

 

在这种更复杂的环境中, “尽力而为”一词不是指整个网络服务,而是指以尽力而为方式处理的一类流量。尽最大努力流量类别中的所有数据包均在传输时不保证将数据包传输到接收方的速度,甚至不保证数据将完全传送。通常,在提供多级服务的网络中,尽最大努力是对优先级最低的流量进行分类。然而,对于某些应用程序,一类流量被称为低于尽力而为较低的努力(LE),可以使用。LE 分类允许网络运营商严格限制 LE 流量对尽力而为/正常或所有其他网络流量的影响。此分类可能适合后台数据传输应用程序(例如文件共享和更新获取)或可能延迟到非高峰时间的流量。

In this more sophisticated environment, the term best effort refers not to the network service as a whole but to a class of traffic treated in best effort fashion. All packets in the best effort traffic class are transmitted with no guarantee regarding the speed with which the packets will be transmitted to the recipient or that the data will even be delivered entirely. Typically, in a network that provides multiple levels of service, best effort is the classification for the lowest priority traffic. However, for some applications, a class of traffic known as lower than best effort, or lower effort (LE), may be used. LE classification permits a network operator to strictly limit the effect of LE traffic on best effort/normal or all other network traffic. This classification may be suitable for background data transfer applications (such as file sharing and update fetching) or traffic that could be delayed to off-peak times.

 

10.2 QoS架构框架

10.2 QoS Architectural Framework

 

在研究涉及互联网和专用互联网中 QoS 提供的互联网标准之前,考虑一个与 QoS 提供中的各个元素相关的整体架构框架是有用的。这样的框架是由国际电信联盟(ITU-T)电信标准化部门制定的,作为其 Y 系列建议书的一部分。1 建议 Y.1291,支持分组网络服务质量的体系结构框架,给出了组成 QoS 设施的机制和服务的“大局”概述。

Before looking at the Internet standards that deal with provision of QoS in the Internet and private internetworks, it is useful to consider an overall architectural framework that relates the various elements that go into QoS provision. Such a framework has been developed by the Telecommunication Standardization Sector of the International Telecommunication Union (ITU-T) as part of its Y series of Recommendations.1 Recommendation Y.1291, An Architectural Framework for Support of Quality of Service in Packet Networks, gives a “big picture” overview of the mechanisms and services that comprise a QoS facility.

 

1 Y 系列,标题为“全球信息基础设施、互联网协议方面和下一代网络”,包含许多涉及 QoS、拥塞控制和流量管理的非常有用的文档。

1 The Y series, titled Global Information Infrastructure, Internet Protocol Aspects and Next-Generation Networks, contains a number of very useful documents dealing with QoS, congestion control, and traffic management.

 

Y.1291 框架由一组通用网络机制组成,用于控制对服务请求的网络服务响应,这些机制可以特定于网络元件,或者用于网络元件之间的信令,或者用于控制和管理网络上的流量。图 10.1显示了这些元素之间的关系,这些元素分为三个层面:数据、控制和管理。该架构框架很好地概述了 QoS 功能及其关系,并为总结 QoS 提供了有用的基础。

The Y.1291 framework consists of a set of generic network mechanisms for controlling the network service response to a service request, which can be specific to a network element, or for signaling between network elements, or for controlling and administering traffic across a network. Figure 10.1 shows the relationship among these elements, which are organized into three planes: data, control, and management. This architectural framework is an excellent overview of QoS functions and their relationships and provides a useful basis for summarizing QoS.

 
图像

图 10.1 QoS 支持的架构框架

FIGURE 10.1 Architectural Framework for QoS Support

 

数据平面

Data Plane

 

数据平面包括直接对数据流进行操作的机制。下面的讨论依次简要描述了每种机制。

The data plane includes those mechanisms that operate directly on flows of data. The following discussion briefly describes each mechanism in turn.

 

流量分类是指网络入口边缘的入口路由器将数据包分配到流量类别。通常,分类实体查看数据包的多个字段,例如源地址和目标地址、应用程序负载和 QoS 标记,并确定数据包所属的聚合。这种分类为网络元素提供了一种权衡的方法一个数据包相对于不同类别中的另一个数据包的相对重要性。可以类似地处理分配给特定流或其他聚合的所有流量。IPv6报头中的流标签可用于流量分类。途中的其他路由器也执行分类功能,但分类不会随着数据包穿越网络而改变。

Traffic classification refers to the assignment of packets to a traffic class by the ingress router at the ingress edge of the network. Typically, the classification entity looks at multiple fields of a packet, such as source and destination address, application payload, and QoS markings, and determines the aggregate to which the packet belongs. This classification provides network elements a method to weigh the relative importance of one packet over another in a different class. All traffic assigned to a particular flow or other aggregate can be treated similarly. The flow label in the IPv6 header can be used for traffic classification. Other routers en route perform a classification function as well, but the classification does not change as the packets traverse the network.

 

数据包标记包含两个不同的功能。首先,数据包可以由网络的入口边缘节点标记,以指示数据包应该接收的某种形式的QoS。一个示例是 IPv4 和 IPv6 数据包中的差分服务 (DiffServ) 字段以及 MPLS 标签中的流量类别字段。入口边缘节点可以设置这些字段中的值以指示期望的QoS。中间节点可以使用此类标记来对传入数据包进行区别处理。其次,数据包标记还可用于由入口节点或中间节点将数据包标记为不合格数据包,如果遇到拥塞,这些数据包可能会在稍后被丢弃。

Packet marking encompasses two distinct functions. First, packets may be marked by ingress edge nodes of a network to indicate some form of QoS that the packet should receive. An example is the Differentiated Services (DiffServ) field in the IPv4 and IPv6 packets and the Traffic Class field in MPLS labels. An ingress edge node can set the values in these fields to indicate a desired QoS. Such markings may be used by intermediate nodes to provide differential treatment to incoming packets. Second, packet marking can also be used to mark packets as nonconformant, either by the ingress node or intermediate nodes, which may be dropped later if congestion is experienced.

 

流量整形控制每个流进入和传输网络的流量的速率和流量。负责流量整形的实体缓冲不合格的数据包,直到它使相应的聚合符合该流的流量限制。因此,产生的流量不像原始流量那样突发,并且更可预测。例如,Y.1221建议使用漏桶/令牌桶进行流量整形。通常,这是在入口边缘执行的功能。

Traffic shaping controls the rate and volume of traffic entering and transiting the network on a per-flow basis. The entity responsible for traffic shaping buffers nonconformant packets until it brings the respective aggregate in compliance with the traffic limitations for this flow. The resulting traffic thus is not as bursty as the original and is more predictable. For example, Y.1221 recommends the use of leaky bucket/token bucket for traffic shaping. Typically, this is a function performed at the ingress edge.

 

拥塞避免涉及将网络负载保持在其容量以下的方法,以便网络能够以可接受的性能水平运行。具体目标是避免严重的排队延迟,特别是避免拥塞崩溃。典型的拥塞避免方案由发送者根据网络拥塞正在发生(或即将发生)的指示来减少进入网络的流量。除非有明确的指示,否则数据包丢失或计时器到期通常被视为网络拥塞的隐式指示。

Congestion avoidance deals with means for keeping the load of the network under its capacity such that it can operate at an acceptable performance level. The specific objectives are to avoid significant queuing delays and, especially, to avoid congestion collapse. A typical congestion avoidance scheme acts by senders reducing the amount of traffic entering the network upon an indication that network congestion is occurring (or about to occur). Unless there is an explicit indication, packet loss or timer expiration is normally regarded as an implicit indication of network congestion.

 

流量监管逐跳确定所呈现的流量是否符合预先协商的策略或合同。不合格的数据包可能会被丢弃、延迟或标记为不合格。例如,ITU-T 建议 Y.1221《基于 IP 的网络中的流量控制和拥塞控制》建议使用令牌桶来表征流量,以实现流量监管。

Traffic policing determines whether the traffic being presented is, on a hop-by-hop basis, compliant with prenegotiated policies or contracts. Nonconformant packets may be dropped, delayed, or labeled as nonconformant. As an example, ITU-T Recommendation Y.1221, Traffic Control and Congestion Control in IP-Based Networks, recommends the use of token bucket to characterize traffic for purposes of traffic policing.

 

排队和调度算法(也称为排队规则算法)确定下一个要发送的数据包,主要用于管理流之间的传输容量分配。排队规则将在第 9.3 节中讨论。

Queuing and scheduling algorithms, also referred to as queuing discipline algorithms, determine which packet to send next and are used primarily to manage the allocation of transmission capacity among flows. Queuing discipline is discussed in Section 9.3.

 

队列管理算法通过在必要或适当时丢弃数据包来管理数据包队列的长度。关注队列的主动管理主要是为了避免拥塞。在互联网的早期,队列管理规则是在队列已满时丢弃所有传入的数据包,称为尾部丢弃技术。正如 RFC 2309 《Internet 队列管理和拥塞避免建议》中指出的那样,尾部丢弃存在许多缺点,包括以下内容:

Queue management algorithms manage the length of packet queues by dropping packets when necessary or appropriate. Active management of queues is concerned primarily with congestion avoidance. In the early days of the Internet, the queue management discipline was to drop any incoming packets when the queue was full, referred to as the tail drop technique. As pointed out in RFC 2309, Recommendations on Queue Management and Congestion Avoidance in the Internet, there are a number of drawbacks to tail drop, including the following:

 

1.在需要丢弃数据包之前不会对拥塞做出反应,而更积极的拥塞避免技术可能会提高整体网络性能。

1. There is no reaction to congestion until it is necessary to drop packets, whereas a more aggressive congestion avoidance technique would likely improve overall network performance.

 

2.队列往往接近满,这会导致数据包通过网络的延迟增加,并可能导致突发流量丢失大量数据包,从而需要重传许多数据包。

2. Queues tend to be close to full, which causes an increase in packet delay through a network and which can result in a large batch of drop packets for bursty traffic, necessitating many packet retransmissions.

 

3.尾部丢弃可能允许单个连接或几个流独占队列空间,从而阻止其他连接在队列中获得空间。

3. Tail drop may allow a single connection or a few flows to monopolize queue space, preventing other connections from getting room in the queue.

 

队列管理的一个值得注意的示例是 RFC 2309 中定义的随机早期检测 (RED)。RED 根据估计的平均队列大小概率地丢弃传入数据包。随着估计的平均队列大小的增加,丢弃的概率也会增加。RED 有许多变体比原始 RED 更常用,其中加权 RED (WRED) 可能是最常用的。WRED 通过在拥塞发生之前检测并减慢流量(根据服务类别)来防止网络拥塞。WRED 丢弃选定的数据包,这会警告 TCP 发送方降低其传输速率。权重被分配给服务类别,导致低优先级流比高优先级流更严重地减慢。

One noteworthy example of queue management is random early detection (RED), defined in RFC 2309. RED drops incoming packets probabilistically based on an estimated average queue size. The probability for dropping increases as the estimated average queue size grows. There are a number of variants of RED that are in more common use than the original RED, with weighted RED (WRED) perhaps the most commonly implemented. WRED prevents network congestion by detecting and slowing flows (according to service class) before congestion occurs. WRED drops selected packets, which alerts the TCP sender to reduce its transmission rate. Weights are assigned to service classes, resulting in low priority flows being slowed more aggressively than high priority ones.

 

控制平面

Control Plane

 

控制平面涉及创建和管理用户数据流经的路径。它包括准入控制、QoS 路由和资源预留。

The control plane is concerned with creating and managing the pathways through which user data flows. It includes admission control, QoS routing, and resource reservation.

 

准入控制决定哪些用户流量可以进入网络。这可能部分地由数据流的 QoS 要求与网络内当前的资源承诺相比来确定。但除了平衡 QoS 请求与可用容量以确定是否接受请求之外,准入控制还需要考虑其他因素。网络管理员和服务提供商必须能够根据源自用户和应用程序身份、流量/带宽要求、安全考虑以及一天/一周时间等标准的策略来监视、控制和强制使用网络资源和服务。RFC 2753,基于策略的准入控制框架,讨论了此类与策略相关的问题。

Admission control determines what user traffic may enter the network. This may be in part determined by the QoS requirements of a data flow compared to the current resource commitment within the network. But beyond balancing QoS requests with available capacity to determine whether to accept a request, there are other considerations in admission control. Network managers and service providers must be able to monitor, control, and enforce use of network resources and services based on policies derived from criteria such as the identity of users and applications, traffic/bandwidth requirements, security considerations, and time of day/week. RFC 2753, A Framework for Policy-Based Admission Control, discusses such policy-related issues.

 

QoS 路由确定可能满足流请求的 QoS 的网络路径。这与传统路由协议的理念形成鲜明对比,传统路由协议通常寻找通过网络的成本最低的路径。RFC 2386(互联网中基于 QoS 的路由框架)概述了 QoS 路由中涉及的问题。这是一个正在进行的研究领域。当前实施的一个示例是 Cisco 的性能路由 (PfR)。PfR 监控网络性能,并根据可达性、延迟、抖动和丢失等高级标准为每个应用程序选择最佳路径。PfR 可以使用先进的负载平衡技术均匀分配流量,以维持同等的链路利用率水平。

QoS routing determines a network path that is likely to accommodate the requested QoS of a flow. This contrasts with the philosophy of the traditional routing protocols, which generally are looking for a least-cost path through the network. RFC 2386, A Framework for QoS-Based Routing in the Internet, provides an overview of the issues involved in QoS routing. This is an area of ongoing study. An example of a current implementation is Cisco’s Performance Routing (PfR). PfR monitors network performance and selects the best path for each application based upon advanced criteria such as reachability, delay, jitter, and loss. PfR can evenly distribute traffic to maintain equivalent link utilization levels using an advanced load-balancing technique.

 

资源预留是一种按需预留网络资源以向请求流提供所需网络性能的机制。使用此功能的协议的一个示例是资源预留协议 (RSVP)。然而,人们发现这种方法扩展性不佳,目前很少使用。

Resource reservation is a mechanism that reserves network resources on demand for delivering desired network performance to a requesting flow. An example of a protocol that uses this capability is the Resource Reservation Protocol (RSVP). However, this approach has been found to not scale well and is rarely used today.

 

管理平面

Management Plane

 

管理平面包含影响控制平面和数据平面机制的机制。控制平面处理网络的操作、管理和管理方面的问题。它包括 SLA、流量恢复、流量计量和记录以及策略。

The management plane contains mechanisms that affect both control plane and data plane mechanisms. The control plane deals with the operation, administration, and management aspects of the network. It includes SLAs, traffic restoration, traffic metering and recording, and policy.

 

服务级别协议(SLA)通常表示客户与服务提供商之间的协议,该协议指定服务的可用性、可服务性、性能、操作或其他属性的级别。SLA 在第 10.5 节中讨论。

A service level agreement (SLA) typically represents the agreement between a customer and a provider of a service that specifies the level of availability, serviceability, performance, operation, or other attributes of the service. SLAs are discussed in Section 10.5.

 

流量计量和记录涉及使用数据速率和丢包率等性能指标来监控流量流的动态属性。它涉及观察给定网络点的流量特征并收集和存储流量信息以进行分析和进一步采取行动。根据一致性级别,仪表可以对数据包流进行必要的处理(例如,丢弃或整形)。10.6 节讨论了该函数中使用的度量类型。

Traffic metering and recording concerns monitoring the dynamic properties of a traffic stream using performance metrics such as data rate and packet loss rate. It involves observing traffic characteristics at a given network point and collecting and storing the traffic information for analysis and further action. Depending on the conformance level, a meter can invoke necessary treatment (for example, dropping or shaping) for the packet stream. Section 10.6 discusses the types of metrics that are used in this function.

 

流量恢复是指网络对故障的响应。这包含许多协议层和技术。

Traffic restoration refers to the network response to failures. This encompasses a number of protocol layers and techniques.

 

策略是一个类别,指的是用于管理、管理和控制对网络资源的访问的一组规则。它们可以特定于服务提供商的需求,也可以反映客户和服务提供商之间的协议,其中可能包括一段时间内的可靠性和可用性要求以及其他 QoS 要求。

Policy is a category that refers to a set of rules for administering, managing, and controlling access to network resources. They can be specific to the needs of the service provider or reflect the agreement between the customer and service provider, which may include reliability and availability requirements over a period of time and other QoS requirements.

 

10.3 综合服务架构

10.3 Integrated Services Architecture

 

为了定义基于 QoS 的服务的要求,IETF 在集成服务架构 (ISA) 的总体框架下开发了一套标准。ISA 旨在通过基于 IP 的互联网提供 QoS 传输,在 RFC 1633 中对整体术语进行了定义,而许多其他文档则填写了详细信息。ISA 本身并未在任何当前产品中实现。然而,该体系结构原理已得到广泛使用,并且 ISA 提供了一种方便的结构来讨论多种 QoS 机制。

To define the requirements for QoS-based service, the IETF developed a suite of standards under the general umbrella of the Integrated Services Architecture (ISA). ISA, intended to provide QoS transport over IP-based internets, is defined in overall terms in RFC 1633, while a number of other documents fill in the details. ISA as such is not implemented in any current products. However, the architectural principles are in wide use, and ISA provides a convenient structure for discussing a number of QoS mechanisms.

 

指令集方法

ISA Approach

 

ISA 的目的是通过基于 IP 的互联网提供 QoS 支持。ISA 的核心设计问题是如何在拥塞时共享可用容量。

The purpose of ISA is to enable the provision of QoS support over IP-based internets. The central design issue for ISA is how to share the available capacity in times of congestion.

 

对于仅提供尽力服务的基于IP的互联网,用于控制拥塞和提供服务的工具是有限的。本质上,路由器有两种工作机制:

For an IP-based Internet that provides only a best effort service, the tools for controlling congestion and providing service are limited. In essence, routers have two mechanisms to work with:

 

图像 路由算法:互联网中使用的一些路由协议允许选择路由以最小化延迟。路由器交换信息以了解整个互联网的延迟情况。最小延迟路由有助于平衡负载,从而减少本地拥塞,并有助于减少各个 TCP 连接的延迟。接口数据速率也可以用作度量。

Routing algorithm: Some routing protocols in use in internets allow routes to be selected to minimize delay. Routers exchange information to get a picture of the delays throughout the Internet. Minimum-delay routing helps to balance loads, thus decreasing local congestion, and helps to reduce delays seen by individual TCP connections. Interface data rate may also be used as a metric.

 

图像 数据包丢弃:当路由器的缓冲区溢出时,它会丢弃数据包。通常,最近的数据包会被丢弃。TCP 连接上丢失数据包的影响是发送 TCP 实体回退并减少其负载,从而有助于缓解 Internet 拥塞。

Packet discard: When a router’s buffer overflows, it discards packets. Typically, the most recent packet is discarded. The effect of lost packets on a TCP connection is that the sending TCP entity backs off and reduces its load, thus helping to alleviate Internet congestion.

 

这些工具运行得相当好。然而,正如第 2.1 节(网络和互联网流量类型)中的讨论所示,此类技术不足以适应现在进入互联网的各种流量。

These tools have worked reasonably well. However, as the discussion in Section 2.1 (Types of Network and Internet Traffic) shows, such techniques are inadequate for the variety of traffic now coming to internets.

 

在 ISA 中,每个 IP 数据包都可以与一个流相关联。流是相关 IP 数据包的可区分流,由单个用户活动产生并需要相同的 QoS。例如,一个流可能由一个方向上的一个传输连接上的流量组成,或者由 ISA 可区分的一个视频流组成。流在两个方面与 TCP 连接不同:流是单向的,并且流可以有多个接收者(多播)。通常,IP 数据包根据源和目标 IP 地址、端口号以及协议类型被识别为流的成员。IPv6报头中的流标识符不一定等同于ISA流,但将来IPv6流标识符可以在ISA中使用。

In ISA, each IP packet can be associated with a flow. A flow is a distinguishable stream of related IP packets that results from a single user activity and requires the same QoS. For example, a flow might consist of traffic on one transport connection in one direction or one video stream distinguishable by the ISA. A flow differs from a TCP connection in two respects: A flow is unidirectional, and there can be more than one recipient of a flow (multicast). Typically, an IP packet is identified as a member of a flow on the basis of source and destination IP addresses and port numbers, and protocol type. The flow identifier in the IPv6 header is not necessarily equivalent to an ISA flow, but in future the IPv6 flow identifier could be used in ISA.

 

ISA 利用以下功能来管理拥塞并提供 QoS 传输:

ISA makes use of the following functions to manage congestion and provide QoS transport:

 

图像 准入控制:对于 QoS 传输(默认尽力而为传输除外),ISA 要求为新流进行预留。如果路由器共同确定没有足够的资源来保证所请求的QoS,则不准许该流。RSVP 协议用于进行预订。

Admission control: For QoS transport (other than default best effort transport), ISA requires that a reservation be made for a new flow. If the routers collectively determine that there are insufficient resources to guarantee the requested QoS, the flow is not admitted. The protocol RSVP is used to make reservations.

 

图像 路由算法:路由决策可能基于各种QoS参数,而不仅仅是最小延迟。

Routing algorithm: The routing decision may be based on a variety of QoS parameters, not just minimum delay.

 

图像 排队规则:ISA 的一个重要组成部分是有效的排队策略,该策略考虑到不同流的不同要求。

Queuing discipline: A vital element of the ISA is an effective queuing policy that takes into account the differing requirements of different flows.

 

图像 丢弃策略:丢弃策略确定当缓冲区已满且新数据包到达时丢弃哪些数据包。丢弃策略可以成为管理拥塞和满足 QoS 保证的重要元素。

Discard policy: A discard policy determines which packets to drop when a buffer is full and new packets arrive. A discard policy can be an important element in managing congestion and meeting QoS guarantees.

 

指令集组件

ISA Components

 

图 10.2是路由器内 ISA 实现架构的一般描述。粗横线下方是路由器的转发功能;这些是针对每个数据包执行的,因此必须高度优化。该行上方的其余函数是后台函数,用于创建转发函数使用的数据结构。因此,图10.2的下半部分大致对应于图10.1的数据平面,而上半部分对应于控制平面。

Figure 10.2 is a general depiction of the implementation architecture for ISA within a router. Below the thick horizontal line are the forwarding functions of the router; these are executed for each packet and therefore must be highly optimized. The remaining functions, above the line, are background functions that create data structures used by the forwarding functions. Thus, the lower portion of Figure 10.2 corresponds roughly to the data plane of Figure 10.1, and the upper portion corresponds to the control plane.

 
图像

图 10.2在路由器中实现的集成服务架构

FIGURE 10.2 Integrated Services Architecture Implemented in Router

 

主要后台功能如下:

The principal background functions are as follows:

 

图像 预留协议:该协议在给定的 QoS 级别为新流预留资源。它用于路由器之间以及路由器和终端系统之间。预留协议负责在端系统和流路径沿线的路由器处维护流特定的状态信息。RSVP 就是用于此目的。预留协议更新数据包调度器使用的流量控制数据库,以确定为每个流的数据包提供的服务。

Reservation protocol: This protocol reserves resources for a new flow at a given level of QoS. It is used among routers and between routers and end systems. The reservation protocol is responsible for maintaining flow-specific state information at the end systems and at the routers along the path of the flow. RSVP is used for this purpose. The reservation protocol updates the traffic control database used by the packet scheduler to determine the service provided for packets of each flow.

 

图像 准入控制:当请求新流时,预留协议调用准入控制功能。该函数确定在请求的 QoS 下是否有足够的资源可用于该流。该确定基于对其他预留的当前承诺水平或网络上的当前负载。

Admission control: When a new flow is requested, the reservation protocol invokes the admission control function. This function determines if sufficient resources are available for this flow at the requested QoS. This determination is based on the current level of commitment to other reservations or on the current load on the network.

 

图像 管理代理:网络管理代理可以修改流量控制数据库并指示准入控制模块设置准入控制策略。

Management agent: A network management agent can modify the traffic control database and to direct the admission control module to set admission control policies.

 

图像 路由协议:路由协议负责维护路由数据库,该数据库给出每个目标地址和每个流要采取的下一跳。

Routing protocol: The routing protocol is responsible for maintaining a routing database that gives the next hop to be taken for each destination address and each flow.

 

这些后台功能支持路由器的主要任务,即转发数据包。完成转发的两个主要功能区域如下:

These background functions support the main task of the router, which is the forwarding of packets. The two principal functional areas that accomplish forwarding are the following:

 

图像 分类器和路由选择:为了转发和流量控制,传入数据包必须映射到类别。类别可以对应于单个流或具有相同QoS要求的一组流。例如,出于资源分配和排队规则的目的,可以相同地对待所有视频流的分组或可归因于特定组织的所有流的分组。类别的选择基于 IP 标头中的字段。该函数根据数据包的类别及其目标 IP 地址确定该数据包的下一跳地址。

Classifier and route selection: For the purposes of forwarding and traffic control, incoming packets must be mapped into classes. A class may correspond to a single flow or to a set of flows with the same QoS requirements. For example, the packets of all video flows or the packets of all flows attributable to a particular organization may be treated identically for purposes of resource allocation and queuing discipline. The selection of class is based on fields in the IP header. Based on the packet’s class and its destination IP address, this function determines the next-hop address for this packet.

 

图像 数据包调度程序:此功能管理每个输出端口的一个或多个队列。它确定排队数据包的传输顺序以及丢弃数据包的选择(如有必要)。决策是根据数据包的类别、流量控制数据库的内容以及该传出端口上当前和过去的活动做出的。数据包调度程序的部分任务是监管,其功能是确定给定流中的数据包流量是否超过请求的容量,如果超过,则决定如何处理超出的数据包。

Packet scheduler: This function manages one or more queues for each output port. It determines the order in which queued packets are transmitted and the selection of packets for discard, if necessary. Decisions are made based on a packet’s class, the contents of the traffic control database, and current and past activity on this outgoing port. Part of the packet scheduler’s task is that of policing, which is the function of determining whether the packet traffic in a given flow exceeds the requested capacity and, if so, deciding how to treat the excess packets.

 

ISA 服务

ISA Services

 

针对数据包流的 ISA 服务在两个级别上进行定义。首先,提供了一些通用服务类别,每个通用类别都提供了某种通用类型的服务保证。其次,在每个类别中,特定流的服务由某些参数的值指定;这些值一起称为流量规范 (TSpec)。定义了三类服务:

ISA service for a flow of packets is defined on two levels. First, a number of general categories of service are provided, each of which provides a certain general type of service guarantees. Second, within each category, the service for a particular flow is specified by the values of certain parameters; together, these values are referred to as a traffic specification (TSpec). Three categories of service are defined:

 

图像有保证

Guaranteed

 

图像受控负载

Controlled load

 

图像最大努力

Best effort

 

应用程序可以请求预留流以获得有保证或受控的负载 QoS,并使用定义所需服务的确切数量的 TSpec。如果保留被接受,TSpec 就成为数据流和服务之间合同的一部分。只要 TSpec 继续准确地描述流的数据流量,服务就同意提供所请求的 QoS。默认情况下,不属于保留流的数据包将获得尽力交付服务。

An application can request a reservation for a flow for a guaranteed or controlled load QoS, with a TSpec that defines the exact amount of service required. If the reservation is accepted, the TSpec is part of the contract between the data flow and the service. The service agrees to provide the requested QoS as long as the flow’s data traffic continues to be described accurately by the TSpec. Packets that are not part of a reserved flow are by default given a best effort delivery service.

 
服务有保障
 

保证服务的关键要素如下:

The key elements of the guaranteed service are as follows:

 

图像该服务提供有保证的容量或数据速率。

The service provides assured capacity, or data rate.

 

图像通过网络的排队延迟有一个指定的上限。必须将其添加到传播延迟或等待时间中,才能达到通过网络的总延迟的界限。

There is a specified upper bound on the queuing delay through the network. This must be added to the propagation delay, or latency, to arrive at the bound on total delay through the network.

 

图像不存在排队损失。即不会因为缓冲区溢出而丢包;由于网络故障或路由路径变化,数据包可能会丢失。

There are no queuing losses. That is, no packets are lost because of buffer overflow; packets may be lost because of failures in the network or changes in routing paths.

 

通过此服务,应用程序可以提供其预期流量概况的特征,并且该服务确定它可以保证的端到端延迟。

With this service, an application provides a characterization of its expected traffic profile, and the service determines the end-to-end delay that it can guarantee.

 

此服务的一类应用程序是那些需要延迟上限的应用程序,以便延迟缓冲区可以用于实时回放传入数据,并且不能容忍由于输出质量下降而导致的数据包丢失。另一个例子是具有硬实时期限的应用程序。

One category of applications for this service is those that need an upper bound on delay so that a delay buffer can be used for real-time playback of incoming data, and that do not tolerate packet losses because of the degradation in the quality of the output. Another example is applications with hard real-time deadlines.

 

有保证的服务是ISA提供的最苛刻的服务。由于延迟界限是固定的,因此必须将延迟设置为较大的值,以覆盖罕见的长排队延迟情况。

The guaranteed service is the most demanding service provided by ISA. Because the delay bound is firm, the delay has to be set at a large value to cover rare cases of long queuing delays.

 
受控负载
 

受控负载服务的关键要素如下:

The key elements of the controlled load service are as follows:

 

图像该服务非常接近在卸载条件下接收尽力而为服务的应用程序可见的行为。

The service tightly approximates the behavior visible to applications receiving best effort service under unloaded conditions.

 

图像通过网络的排队延迟没有指定的上限。但是,该服务可确保很大比例的数据包不会遇到大大超过最小传输延迟的延迟(即,由于传播时间加上路由器处理时间而导致的延迟,没有排队延迟)。

There is no specified upper bound on the queuing delay through the network. However, the service ensures that a very high percentage of the packets do not experience delays that greatly exceed the minimum transit delay (that is, the delay due to propagation time plus router processing time with no queuing delays).

 

图像非常高比例的传输数据包将被成功传送(即几乎没有排队丢失)。

A very high percentage of transmitted packets will be successfully delivered (that is, almost no queuing loss).

 

如前所述,为实时应用程序提供 QoS 的互联网的风险是尽力而为的流量被挤出。这是因为尽力而为类型的应用程序被分配了较低的优先级,并且它们的流量在遇到拥塞和延迟时受到限制。受控负载服务保证网络将预留足够的资源,以便接收此服务的应用程序将看到网络做出响应,就好像这些实时应用程序不存在并竞争资源一样。

As was mentioned, the risk in an internet that provides QoS for real-time applications is that best effort traffic is crowded out. This is because best effort types of applications are assigned a low priority and their traffic is throttled in the face of congestion and delays. The controlled load service guarantees that the network will set aside sufficient resources so that an application that receives this service will see a network that responds as if these real-time applications were not present and competing for resources.

 

受控服务对于被称为自适应实时应用程序的应用程序很有用。此类应用不需要网络延迟的先验上限。相反,接收器测量传入数据包所经历的抖动,并将播放点设置为仍产生足够低的丢失率的最小延迟。(例如,视频可以通过丢帧或稍微延迟输出流来实现自适应;语音可以通过调整静音时间段来实现自适应。)

The controlled service is useful for applications that have been referred to as adaptive real-time applications. Such applications do not require an a priori upper bound on the delay through the network. Rather, the receiver measures the jitter experienced by incoming packets and sets the playback point to the minimum delay that still produces a sufficiently low loss rate. (For example, video can be adaptive by dropping a frame or delaying the output stream slightly; voice can be adaptive by adjusting silent periods.)

 

排队纪律

Queuing Discipline

 

ISA 实现的一个重要组成部分是路由器上使用的排队规则。路由器可以使用的最简单的方法是每个输出端口的先进先出 (FIFO) 排队规则。每个输出端口维护一个队列。当新数据包到达并被路由到输出端口时,它被放置在队列的末尾。只要队列不为空,路由器就会传输队列中的数据包,然后取出最旧的剩余数据包。

An important component of an ISA implementation is the queuing discipline used at the routers. The simplest approach that can be used by a router is a first-in, first-out (FIFO) queuing discipline at each output port. A single queue is maintained at each output port. When a new packet arrives and is routed to an output port, it is placed at the end of the queue. As long as the queue is not empty, the router transmits packets from the queue, taking the oldest remaining packet next.

 

FIFO 排队规则有几个缺点:

There are several drawbacks to the FIFO queuing discipline:

 

图像对于来自具有更高优先级或对延迟更敏感的流的数据包,不会进行特殊处理。如果来自不同流的多个数据包准备转发,则严格按照 FIFO 顺序处理它们。

No special treatment is given to packets from flows that are of higher priority or are more delay sensitive. If a number of packets from different flows are ready to be forwarded, they are handled strictly in FIFO order.

 

图像如果多个较小的数据包在一个长数据包后面排队,则与在较长的数据包之前传输较短的数据包相比,先进先出队列会导致每个数据包的平均延迟更大。一般来说,较大的数据包流可以获得更好的服务。

If a number of smaller packets are queued behind a long packet, FIFO queuing results in a larger average delay per packet than if the shorter packets were transmitted before the longer packet. In general, flows of larger packets get better service.

 

图像忽略 TCP 拥塞控制规则的自私 TCP 连接可能会排挤符合要求的连接。如果发生拥塞并且一个 TCP 连接无法后退,则同一路径段上的其他连接必须比原本必须做的更多后退。

A selfish TCP connection, which ignores the TCP congestion control rules, can crowd out conforming connections. If congestion occurs and one TCP connection fails to back off, other connections along the same path segment must back off more than they would otherwise have to do.

 

为了克服 FIFO 队列的缺点,路由器中实现了许多更复杂的路由算法。这些算法涉及在每个输出端口使用多个队列以及对流量进行优先级排序以提供更好服务的某种方法。网络行业的典型路由器是 Cisco 的路由器,除了 FIFO 之外,还包括 Cisco互联技术手册[ CISC15 ] 中概述的以下排队方法:

To overcome the drawbacks of FIFO queuing, a number of more complex routing algorithms have been implemented in routers. These algorithms involve the use of multiple queues at each output port and some method of prioritizing the traffic to provide better service. Typical of the networking industry are the routers from Cisco which, in addition to FIFO, include the following queuing approaches outlined in the Cisco Internetworking Technology Handbook [CISC15]:

 

图像优先级队列 (PQ)

Priority queuing (PQ)

 

图像自定义队列 (CQ)

Custom queuing (CQ)

 

图像基于流的加权公平排队 (WFQ)

Flow-based weighted fair queuing (WFQ)

 

图像基于类的加权公平排队 (CBWFQ)

Class-based weighted fair queuing (CBWFQ)

 

用于优先队列,每个数据包被分配一个优先级,每个优先级有一个队列。在 Cisco 实施中,使用四个级别:高、中、正常和低。未进行其他分类的数据包将分配给正常优先级。PQ可以根据网络协议、传入接口、数据包大小、源/目标地址或其他参数灵活地确定优先级。排队规则根据优先级给出绝对优先。因此,如果多个队列中有数据包在等待,路由器将按照先进先出原则从不为空的最高优先级队列中调度数据包。仅当该队列为空后,才会从下一个较低优先级队列调度数据包。当新数据包到达较高优先级队列时,它们立即优先于已在较低优先级队列中等待的任何数据包。

For priority queuing, each packet is assigned a priority level, and there is one queue for each priority level. In the Cisco implementation, four levels are used: high, medium, normal, and low. Packets not otherwise classified are assigned to the normal priority. PQ can flexibly prioritize according to network protocol, incoming interface, packet size, source/destination address, or other parameters. The queuing discipline gives absolute preference based on priority. Thus, if there are packets waiting in multiple queues, the router dispatches packets on a FIFO basis from the highest-priority queue that is not empty. Only after that queue is empty are packets dispatched from the next lower priority queue. When new packets arrive in a higher priority queue, they immediately take precedence over any packets already waiting in lower priority queues. PQ is useful for assuring that mission-critical application traffic is handled as well as possible, but it risks crowding out lower priority traffic for very long periods of time.

 

自定义队列旨在允许各种应用程序或组织在具有特定最小吞吐量或延迟要求的应用程序之间共享网络。对于 CQ,有多个队列,每个队列都有一个配置的字节数。队列以循环方式提供服务。当访问每个队列时,将调度许多数据包,最多达到配置的字节数。通过为不同队列提供不同的字节数,可以保证每个队列上的流量总容量的最小比例。然后可以将应用程序或协议流量分配给所需的队列。

Custom queuing is designed to allow various applications or organizations to share the network among applications with specific minimum throughput or latency requirements. For CQ, there are multiple queues, with each having a configured byte count. The queues are serviced in round-robin fashion. As each queue is visited, a number of packets are dispatched up to the configured byte count. By providing different byte counts for different queues, traffic on each queue is guaranteed a minimum fraction of the overall capacity. Application or protocol traffic can then be assigned to the desired queue.

 

前面列表中的其余排队算法基于称为公平排队的机制。通过简单的公平排队,每个传入数据包都被放置在其流的队列中。队列以循环方式提供服务,依次从每个非空队列中获取一个数据包。空队列将被跳过。该方案是公平的,因为每个繁忙流每个周期只发送一个数据包。此外,这是各种流之间负载平衡的一种形式。贪婪没有任何好处。贪婪流发现其队列变长,从而增加了延迟,而其他流则不受此行为的影响。

The remaining queuing algorithms on the preceding list are based on a mechanism known as fair queuing. With simple fair queuing, each incoming packet is placed in the queue for its flow. The queues are serviced in round-robin fashion, taking one packet from each nonempty queue in turn. Empty queues are skipped over. This scheme is fair in that each busy flow gets to send exactly one packet per cycle. Further, this is a form of load balancing among the various flows. There is no advantage in being greedy. A greedy flow finds that its queues become long, increasing its delays, whereas other flows are unaffected by this behavior.

 

文献中使用术语“加权公平排队” (WFQ) 来指一类使用多个队列来支持容量分配和延迟界限的调度算法。一些 WFQ 方案会考虑通过每个队列的流量,并为较繁忙的队列提供更多容量,而不会完全排除不太繁忙的队列。WFQ还可以考虑每个业务流请求的服务量并相应地调整排队规则。

The term weighted fair queuing (WFQ) is used in the literature to refer to a class of scheduling algorithms that use multiple queues to support capacity allocation and delay bounds. Some WFQ schemes take into account the amount of traffic through each queue and gives busier queues more capacity without completely shutting out less busy queues. WFQ may also take into account the amount of service requested by each traffic flow and adjust the queuing discipline accordingly.

 

基于流的 WFQ(思科简称为 WFQ)根据数据包中的许多特征创建流,包括源地址和目标地址、套接字号和会话标识符。根据 IP 先行位为流分配不同的权重,以便为某些队列提供更好的服务。

Flow-based WFQ, which Cisco simply refers to as WFQ, creates flows based on a number of characteristics in a packet, including source and destination addresses, socket numbers, and session identifiers. The flows are assigned different weights to based on IP precedent bits to provide greater service for certain queues.

 

基于类别的 WFQ (CBWFQ) 允许网络管理员创建最低保证带宽类别。不是为每个单独的流提供队列,而是定义由一个或多个流组成的类。每个类别都可以保证最小的带宽量。

Class-based WFQ (CBWFQ) allows a network administrator to create minimum guaranteed bandwidth classes. Instead of providing a queue for each individual flow, a class is defined that consists of one or more flows. Each class can be guaranteed a minimum amount of bandwidth.

 

10.4 差异化服务

10.4 Differentiated Services

 

差异化服务 (DiffServ) 架构 (RFC 2475) 旨在提供一种简单、易于实现、低开销的工具,以支持一系列基于性能进行差异化的网络服务。

The differentiated services (DiffServ) architecture (RFC 2475) is designed to provide a simple, easy-to-implement, low-overhead tool to support a range of network services that are differentiated on the basis of performance.

 

DiffServ 的几个关键特性有助于提高其效率并易于部署:

Several key characteristics of DiffServ contribute to its efficiency and ease of deployment:

 

图像使用现有的 IPv4 或 IPv6 DSField 对 IP 数据包进行不同的 QoS 处理标记。因此,无需更改 IP。

IP packets are labeled for differing QoS treatment using the existing IPv4 or IPv6 DSField. Thus, no change is required to IP.

 

图像在使用 DiffServ 之前,服务提供商(互联网域)和客户之间建立服务级别规范 (SLS)。这避免了在应用程序中合并 DiffServ 机制的需要。因此,无需修改现有应用程序即可使用 DiffServ。SLS 是一组参数及其值共同定义 DiffServ 域向流量流提供的服务。

A service level specification (SLS) is established between the service provider (Internet domain) and the customer prior to the use of DiffServ. This avoids the need to incorporate DiffServ mechanisms in applications. Therefore, existing applications need not be modified to use DiffServ. The SLS is a set of parameters and their values that together define the service offered to a traffic stream by a DiffServ domain.

 

图像流量调节规范(TCS)是 SLS 的一部分,它指定流量分类器规则和任何相应的流量配置文件以及应用于流量流的计量、标记、丢弃/整形规则。

A traffic conditioning specification (TCS) is a part of the SLS that specifies traffic classifier rules and any corresponding traffic profiles and metering, marking, discarding/shaping rules which are to apply to the traffic stream.

 

图像DiffServ 提供了内置的聚合机制。网络服务对具有相同 DiffServ 八位字节的所有流量进行相同的处理。例如,多个语音连接不是单独处理而是聚合处理。这可以很好地扩展到更大的网络和流量负载。

DiffServ provides a built-in aggregation mechanism. All traffic with the same DiffServ octet is treated the same by the network service. For example, multiple voice connections are not handled individually but in the aggregate. This provides for good scaling to larger networks and traffic loads.

 

图像DiffServ 在各个路由器中通过基于 DiffServ 八位字节排队和转发数据包来实现。路由器单独处理每个数据包,不必保存数据包流的状态信息。

DiffServ is implemented in individual routers by queuing and forwarding packets based on the DiffServ octet. Routers deal with each packet individually and do not have to save state information on packet flows.

 

如今,DiffServ 是企业网络中最广泛接受的 QoS 机制。

Today, DiffServ is the most widely accepted QoS mechanism in enterprise networks.

 

尽管DiffServ旨在基于相对简单的机制提供简单的服务,但是与DiffServ相关的RFC集相对复杂。表 10.1总结了这些规范中的一些关键术语。

Although DiffServ is intended to provide a simple service based on relatively simple mechanisms, the set of RFCs related to DiffServ is relatively complex. Table 10.1 summarizes some of the key terms from these specifications.

 
图像
图像

表 10.1差异化服务的术语

TABLE 10.1 Terminology for Differentiated Services

 

服务

Services

 

DiffServ 类型的服务在 DiffServ 域内提供,DiffServ 域被定义为 Internet 的连续部分,通过该部分管理一组一致的 DiffServ 策略。通常,DiffServ 域将受一个管理实体的控制。跨 DiffServ 域提供的服务在 SLA 中定义,SLA 是客户与服务提供商之间的服务合同,指定客户应为各种类别的数据包接收的转发服务。客户可以是用户组织或另一个DiffServ域。建立 SLA 后,客户将提交带有标记的 DiffServ 八位字节以指示数据包类别的数据包。服务提供商必须确保客户至少获得每个数据包类别商定的 QoS。为了提供 QoS,

The DiffServ type of service is provided within a DiffServ domain, which is defined as a contiguous portion of the Internet over which a consistent set of DiffServ policies are administered. Typically, a DiffServ domain would be under the control of one administrative entity. The services provided across a DiffServ domain are defined in an SLA, which is a service contract between a customer and the service provider that specifies the forwarding service that the customer should receive for various classes of packets. A customer may be a user organization or another DiffServ domain. Once the SLA is established, the customer submits packets with the DiffServ octet marked to indicate the packet class. The service provider must ensure that the customer gets at least the agreed QoS for each packet class. To provide that QoS, the service provider must configure the appropriate forwarding policies at each router (based on DiffServ octet value) and must measure the performance being provided for each class on an ongoing basis.

 

如果客户提交的数据包打算发送至 DiffServ 域内的目的地,则 DiffServ 域应提供约定的服务。如果目的地超出客户的 DiffServ 域,DiffServ 域将尝试通过其他域转发数据包,请求最合适的服务来匹配所请求的服务。

If a customer submits packets intended for destinations within the DiffServ domain, the DiffServ domain is expected to provide the agreed service. If the destination is beyond the customer’s DiffServ domain, the DiffServ domain will attempt to forward the packets through other domains, requesting the most appropriate service to match the requested service.

 

DiffServ 框架文档列出了 SLA 中可能包含的以下详细性能参数:

A DiffServ framework document lists the following detailed performance parameters that might be included in an SLA:

 

图像详细的服务性能参数,例如预期吞吐量、丢弃概率和延迟。

Detailed service performance parameters such as expected throughput, drop probability, and latency.

 

图像对提供服务的入口和出口点的限制,表明服务的范围。

Constraints on the ingress and egress points at which the service is provided, indicating the scope of the service.

 

图像为提供所请求的服务而必须遵守的流量配置文件,例如令牌桶参数。

Traffic profiles that must be adhered to for the requested service to be provided, such as token bucket parameters.

 

图像处理超出指定配置文件提交的流量。

Disposition of traffic submitted in excess of the specified profile.

 

该框架文件还给出了一些可能提供的服务示例:

The framework document also gives some examples of services that might be provided:

 

图像A 级服务提供的流量将以低延迟传输。

Traffic offered at service level A will be delivered with low latency.

 

图像服务级别 B 提供的流量将以低损耗传送。

Traffic offered at service level B will be delivered with low loss.

 

图像在服务级别 C 上交付的配置文件内流量的 90% 将经历不超过 50 毫秒的延迟。

90 percent of in-profile traffic delivered at service level C will experience no more than 50 ms latency.

 

图像将交付在服务级别 D 交付的 95% 的配置文件内流量。

95 percent of in-profile traffic delivered at service level D will be delivered.

 

图像服务级别 E 提供的流量将分配两倍于服务级别 F 提供的流量的带宽。

Traffic offered at service level E will be allotted twice the bandwidth of traffic delivered at service level F.

 

图像具有丢弃优先级 X 的流量比具有丢弃优先级 Y 的流量具有更高的传送概率。

Traffic with drop precedence X has a higher probability of delivery than traffic with drop precedence Y.

 

前两个示例是定性的,并且仅在与其他流量(例如获得尽力服务的默认流量)进行比较时才有效。接下来的两个例子是定量的,并提供了具体的保证,可以通过对实际服务的测量来验证,而无需与同时提供的任何其他服务进行比较。最后两个例子是定量和定性的混合。

The first two examples are qualitative and are valid only in comparison to other traffic, such as default traffic that gets a best effort service. The next two examples are quantitative and provide a specific guarantee that can be verified by measurement on the actual service without comparison to any other services offered at the same time. The final two examples are a mixture of quantitative and qualitative.

 

区分服务字段

DiffServ Field

 

数据包通过 IPv4 标头或 IPv6 标头中的 6 位 DSField 进行服务处理标记(图 10.3)。DSField 的值称为DiffServ 代码点 (DSCP),是用于对差异化服务的数据包进行分类的标签。

Packets are labeled for service handling by means of the 6-bit DSField in the IPv4 header or the IPv6 header (Figure 10.3). The value of the DSField, referred to as the DiffServ codepoint (DSCP), is the label used to classify packets for differentiated services.

 
图像

图 10.3 IP 标头

FIGURE 10.3 IP Headers

 

对于 6 位代码点,原则上可以定义 64 种不同的流量类别。这 64 个代码点分配在三个代码点池中,如下所示:

With a 6-bit codepoint, there are in principle 64 different classes of traffic that could be defined. These 64 codepoints are allocated across three pools of codepoints, as follows:

 

图像xxxxx0 形式的代码点(其中 x 为 0 或 1)保留作为标准分配。

Codepoints of the form xxxxx0, where x is either 0 or 1, are reserved for assignment as standards.

 

图像xxxx11 形式的代码点保留供实验或本地使用。

Codepoints of the form xxxx11 are reserved for experimental or local use.

 

图像xxxx01 形式的代码点也保留供实验或本地使用,但可以根据需要分配给未来的标准操作。

Codepoints of the form xxxx01 are also reserved for experimental or local use but may be allocated for future standards action as needed.

 

DiffServ配置和操作

DiffServ Configuration and Operation

 

图 10.4说明了 DiffServ 文档中设想的配置类型。DiffServ 域由一组连续的路由器组成;也就是说,可以从域内的任意路由器通过不包含域外路由器的路径到达域内的任意其他路由器。在一个域内,DS 代码点的解释是统一的,因此可以提供统一、一致的服务。

Figure 10.4 illustrates the type of configuration envisioned in the DiffServ documents. A DiffServ domain consists of a set of contiguous routers; that is, it is possible to get from any router in the domain to any other router in the domain by a path that does not include routers outside the domain. Within a domain, the interpretation of DS codepoints is uniform, so that a uniform, consistent service is provided.

 
图像

图 10.4 DS 域

FIGURE 10.4 DS Domains

 

DiffServ 域中的路由器要么是边界节点,要么是内部节点。通常,内部节点实现简单的机制,用于根据其 DS 代码点值处理数据包。这包括根据代码点值给予优先处理的排队规则,以及指示在缓冲区饱和时应首先丢弃哪些数据包的数据包丢弃规则。DiffServ 规范将路由器提供的转发处理作为每跳行为 (PHB)。此 PHB 必须在所有路由器上可用,并且通常 PHB 是在内部路由器中实现的 DiffServ 的唯一部分。

Routers in a DiffServ domain are either boundary nodes or interior nodes. Typically, the interior nodes implement simple mechanisms for handling packets based on their DS codepoint values. This includes queuing discipline to give preferential treatment depending on codepoint value, and packet dropping rules to dictate which packets should be dropped first in the event of buffer saturation. The DiffServ specifications refer to the forwarding treatment provided at a router as per-hop behavior (PHB). This PHB must be available at all routers, and typically PHB is the only part of DiffServ implemented in interior routers.

 

边界节点包括 PHB 机制,但还需要更复杂的流量调节机制来提供所需的服务。因此,内部路由器在提供 DiffServ 服务时具有最少的功能和最少的开销;大部分复杂性在于边界节点。边界节点功能还可以由附加到域的主机系统代表该主机系统处的应用程序来提供。

The boundary nodes include PHB mechanisms but more sophisticated traffic conditioning mechanisms are also required to provide the desired service. Therefore, interior routers have minimal functionality and minimal overhead in providing the DiffServ service; most of the complexity is in the boundary nodes. The boundary node function can also be provided by a host system attached to the domain, on behalf of the applications at that host system.

 

流量调节功能由五个要素组成:

The traffic conditioning function consists of five elements:

 

图像 分类器:将提交的数据包分成不同的类。这是提供差异化​​服务的基础。分类器可以仅基于 DS 代码点(行为聚合分类器)或基于数据包标头甚至数据包有效负载(多字段分类器)内的多个字段来分离流量。

Classifier: Separates submitted packets into different classes. This is the foundation of providing differentiated services. A classifier may separate traffic only on the basis of the DS codepoint (behavior aggregate classifier) or based on multiple fields within the packet header or even the packet payload (multifield classifier).

 

图像 计量器:测量提交的流量是否符合配置文件。该仪表确定给定的数据包流类别是否在该类别所保证的服务水平之内或超出。

Meter: Measures submitted traffic for conformance to a profile. The meter determines whether a given packet stream class is within or exceeds the service level guaranteed for that class.

 

图像 标记:根据需要用不同的代码点重新标记数据包。对于超出配置文件的数据包可以执行此操作;例如,如果对于特定服务类别保证给定吞吐量,则该类别中在某个定义的时间间隔内超过吞吐量的任何分组可以被重新标记以进行尽力而为处理。此外,在两个 DiffServ 域之间的边界处可能需要重新标记。例如,如果给定流量类别要接收最高支持的优先级,并且该优先级在一个域中为 3,在下一个域中为 7,则穿过第一个域的优先级值为 3 的数据包将被重新标记为优先级 7当进入第二个域时。

Marker: Re-marks packets with a different codepoint as needed. This may be done for packets that exceed the profile; for example, if a given throughput is guaranteed for a particular service class, any packets in that class that exceed the throughput in some defined time interval may be re-marked for best effort handling. Also, re-marking may be required at the boundary between two DiffServ domains. For example, if a given traffic class is to receive the highest supported priority, and this is a value of 3 in one domain and 7 in the next domain, packets with a priority 3 value traversing the first domain are re-marked as priority 7 when entering the second domain.

 

图像 Shaper:根据需要延迟数据包,以便给定类别中的数据包流不会超过该类别的配置文件中指定的流量速率。

Shaper: Delays packets as necessary so that the packet stream in a given class does not exceed the traffic rate specified in the profile for that class.

 

图像 Dropper:当给定类别的数据包速率超过该类别的配置文件中指定的速率时,丢弃数据包。

Dropper: Drops packets when the rate of packets of a given class exceeds that specified in the profile for that class.

 

图 10.5说明了流量调节要素之间的关系。流分类后,需要测量其资源消耗。计量功能测量特定时间间隔内的数据包量,以确定流是否符合流量协议。如果主机是突发的,简单的数据速率或分组速率可能不足以捕获所需的流量特征。令牌方案是定义流量配置文件以考虑数据包速率和突发性的方法的示例。

Figure 10.5 illustrates the relationship between the elements of traffic conditioning. After a flow is classified, its resource consumption must be measured. The metering function measures the volume of packets over a particular time interval to determine a flow’s compliance with the traffic agreement. If the host is bursty, a simple data rate or packet rate may not be sufficient to capture the desired traffic characteristics. A token bucket scheme is an example of a way to define a traffic profile to take into account both packet rate and burstiness.

 
图像

图 10.5 DS 功能

FIGURE 10.5 DS Functions

 

如果流量超出某个范围,可以采取多种方法。超出配置文件的各个数据包可能会被重新标记以进行较低质量的处理,并允许进入 DiffServ 域。流量整形器可以吸收缓冲区中的突发数据包,并在较长时间内调整数据包的速度。如果用于调步的缓冲区饱和,则丢弃程序可能会丢弃数据包。

If a traffic flow exceeds some profile, several approaches can be taken. Individual packets in excess of the profile may be re-marked for lower-quality handling and allowed to pass into the DiffServ domain. A traffic shaper may absorb a burst of packets in a buffer and pace the packets over a longer period. A dropper may drop packets if the buffer used for pacing becomes saturated.

 

每跳行为

Per-Hop Behavior

 

DiffServ是一个通用的架构,可以用来实现多种服务。作为DS标准化工作的一部分,需要定义特定类型的PHB,其可以与特定的差异化服务相关联。已经定义了三种基本转发行为并对其进行了表征以供一般使用,此外还定义了“遗留”转发行为类。四个行为类别如下:

DiffServ is a general architecture that can be used to implement a variety of services. As part of the DS standardization effort, specific types of PHB need to be defined, which can be associated with specific differentiated services. Three fundamental forwarding behaviors have been defined and characterized for general use, plus a “legacy” forwarding behavior class has been defined. The four behavior classes are as follows:

 

图像弹性流量的默认转发 (DF)

Default forwarding (DF) for elastic traffic

 

图像满足一般 QoS 要求的保证转发 (AF)

Assured forwarding (AF) for general QoS requirements

 

图像实时(非弹性)流量的快速转发(EF)

Expedited forwarding (EF) for real-time (inelastic) traffic

 

图像用于历史代码点定义和 PHB 要求的类选择器

Class selector for historical codepoint definitions and PHB requirements

 

图 10.6显示了这四个类别对应的 DSCP 编码。本节的其余部分将依次讨论每个类。

Figure 10.6 shows the DSCP encodings corresponding to the four classes. The remainder of this section discusses each class in turn.

 
图像

图 10.6 DiffServ 转发行为类和相应的 DSField 编码

FIGURE 10.6 DiffServ Forwarding Behavior Classes and Corresponding DSField Encoding

 

默认转发PHB

Default Forwarding PHB

 

默认类别,称为默认转发 (DF),是现有路由器中的尽力转发行为。一旦链路容量可用,此类数据包就会按照接收顺序转发。如果其他 DiffServ 类别中的其他较高优先级数据包可用于传输,则后者优先于尽力而为默认数据包。Internet 中使用默认转发的应用程序流量预计本质上是有弹性的。流量发送方需要调整其传输速率以响应可用速率、丢失或延迟的变化。

The default class, referred to as default forwarding (DF), is the best effort forwarding behavior in existing routers. Such packets are forwarded in the order that they are received as soon as link capacity becomes available. If other higher-priority packets in other DiffServ classes are available for transmission, the latter are given preference over best effort default packets. Application traffic in the Internet that uses default forwarding is expected to be elastic in nature. The sender of traffic is expected to adjust its transmission rate in response to changes in available rate, loss, or delay.

 
加急转发 PHB
 

RFC 3246 将加速转发 (EF) PHB 定义为通过 DiffServ 域提供低损耗、低延迟和低抖动端到端服务的构建块。本质上,这样的服务对于端点来说应该表现为提供接近点对点连接或租用线路的性能。

RFC 3246 defines the expedited forwarding (EF) PHB as a building block for low-loss, low-delay, and low-jitter end-to-end services through DiffServ domains. In essence, such a service should appear to the endpoints as providing close to the performance of a point-to-point connection or leased line.

 

在互联网或分组交换网络中,低损耗、低延迟、低抖动的业务是很难实现的。从本质上讲,互联网涉及每个节点或路由器上的队列,其中数据包被缓冲以等待使用共享输出链路。每个节点的排队行为会导致丢失、延迟和抖动。因此,除非互联网规模过大以消除所有排队效应,否则在处理 EF PHB 流量时必须小心,以确保排队效应不会导致超过给定阈值的丢失、延迟或抖动。RFC 3246 声明 EF PHB 的目的是提供一个 PHB,其中适当标记的数据包通常会遇到短队列或空队列。相对不存在排队效应,最大限度地减少了延迟和抖动。此外,如果队列相对于可用缓冲区空间保持较短,则数据包丢失也会保持在最低限度。

In an internet or packet-switching network, a low-loss, low-delay, and low-jitter service is difficult to achieve. By its nature, an internet involves queues at each node, or router, where packets are buffered waiting to use a shared output link. It is the queuing behavior at each node that results in loss, delays, and jitter. Therefore, unless the internet is grossly oversized to eliminate all queuing effects, care must be taken in handling traffic for EF PHB to ensure that queuing effects do not result in loss, delay, or jitter above a given threshold. RFC 3246 declares that the intent of the EF PHB is to provide a PHB in which suitably marked packets usually encounter short or empty queues. The relative absence of queuing effects minimizes delay and jitter. Furthermore, if queues remain short relative to the buffer space available, packet loss is also kept to a minimum.

 

EF PHB 旨在配置节点,以便流量聚合2具有明确定义的最小出发率。(明确定义意味着“独立于节点的动态状态”,特别是独立于节点上其他流量的强度。)RFC 3246 中概述的一般概念是:边界节点控制流量聚合以限制其特征(速率、突发性)达到某个预定义的水平。内部节点必须以不会出现排队效应的方式处理传入流量。一般来说,对内部节点的要求是聚合的最大到达率必须小于聚合的最小离开率。

The EF PHB is designed to configure nodes so that the traffic aggregate2 has a well-defined minimum departure rate. (Well-defined means “independent of the dynamic state of the node,” in particular, independent of the intensity of other traffic at the node.) The general concept outlined in RFC 3246 is this: The border nodes control the traffic aggregate to limit its characteristics (rate, burstiness) to some predefined level. Interior nodes must treat the incoming traffic in such a way that queuing effects do not appear. In general terms, the requirement on interior nodes is that the aggregate’s maximum arrival rate must be less than the aggregate’s minimum departure rate.

 

2流量聚合一词是指与特定用户的特定服务相关的数据包流。

2 The term traffic aggregate refers to the flow of packets associated with a particular service for a particular user.

 

RFC 3246 没有强制要求内部节点采用特定的排队策略来实现 EF PHB。RFC 指出,简单的优先级方案可以达到预期的效果,其中 EF 流量相对于其他流量具有绝对优先级。只要 EF 流量本身不会压垮内部节点,该方案就会导致 EF PHB 的排队延迟可接受。然而,简单优先级方案的风险是其他 PHB 流量的数据包流会被中断。因此,可能需要一些更复杂的排队策略。

RFC 3246 does not mandate a specific queuing policy at the interior nodes to achieve the EF PHB. The RFC notes that a simple priority scheme could achieve the desired effect, with the EF traffic given absolute priority over other traffic. So long as the EF traffic itself did not overwhelm an interior node, this scheme would result in acceptable queuing delays for the EF PHB. However, the risk of a simple priority scheme is that packet flows for other PHB traffic would be disrupted. Therefore, some more sophisticated queuing policy might be warranted.

 
放心转发 PHB
 

有保证转发(AF) PHB 旨在提供优于尽力而为的服务,但不需要在互联网内保留资源,并且不需要对来自不同用户的流进行详细区分。AF PHB 背后的概念首次在 Clark 和 Fang [ CLAR98 ] 的论文中引入,被称为显式分配。AF PHB 比显式分配更复杂,但首先强调显式分配方案的关键要素是有用的:

The assured forwarding (AF) PHB is designed to provide a service superior to best effort but one that does not require the reservation of resources within an Internet and does not require the use of detailed discrimination among flows from different users. The concept behind the AF PHB was first introduced in a paper by Clark and Fang [CLAR98] and is referred to as explicit allocation. The AF PHB is more complex than explicit allocation, but it is useful to first highlight the key elements of the explicit allocation scheme:

 

图像用户可以根据自己的流量选择多种服务类别。每个类别在聚合数据速率和突发性方面描述了不同的流量概况。

Users are offered the choice of a number of classes of service for their traffic. Each class describes a different traffic profile in terms of an aggregate data rate and burstiness.

 

图像来自给定类别内的用户的流量在边界节点处受到监视。根据流量流中的每个数据包是否超出流量配置文件,将其标记为出入。

Traffic from a user within a given class is monitored at a boundary node. Each packet in a traffic flow is marked out or in based on whether it does or does not exceed the traffic profile.

 

图像在网络内部,来自不同用户的流量甚至来自不同类别的流量没有分离。相反,所有流量都被视为单个数据包池,唯一的区别是每个数据包是否已被标记为入或出。

Inside the network, there is no separation of traffic from different users or even traffic from different classes. Instead, all traffic is treated as a single pool of packets, with the only distinction being whether each packet has been marked in or out.

 

图像当发生拥塞时,内部节点实施丢弃方案,其中out数据包先于in数据包被丢弃。

When congestion occurs, the interior nodes implement a dropping scheme in which out packets are dropped before in packets.

 

图像不同的用户将看到不同级别的服务,因为他们在服务队列中的数据包数量不同。

Different users will see different levels of service because they will have different quantities of in packets in the service queues.

 

这种方法的优点是简单。内部节点只需要很少的工作。根据流量概况对边界节点处的流量进行标记,为不同类别提供不同级别的服务。

The advantage of this approach is its simplicity. Very little work is required by the internal nodes. Marking of the traffic at the boundary nodes based on traffic profiles provides different levels of service to different classes.

 

RFC 2597 中定义的 AF PHB 通过以下方式扩展了上述方法:

The AF PHB defined in RFC 2597 expands on the preceding approach in the following ways:

 

图像定义了四个 AF 类别,允许定义四个不同的流量配置文件。用户可以选择这些类别中的一个或多个来满足需求。

Four AF classes are defined, allowing the definition of four distinct traffic profiles. A user may select one or more of these classes to satisfy requirements.

 

图像在每个类别中,数据包由客户或服务提供商使用三个丢弃优先级值之一进行标记。在拥塞的情况下,数据包的丢弃优先级决定了该数据包在 AF 类中的相对重要性。拥塞的DiffServ节点试图通过优选地丢弃具有较高丢弃优先级值的分组来保护具有较低丢弃优先级值的分组不被丢失。

Within each class, packets are marked by the customer or by the service provider with one of three drop precedence values. In case of congestion, the drop precedence of a packet determines the relative importance of the packet within the AF class. A congested DiffServ node tries to protect packets with a lower drop precedence value from being lost by preferably discarding packets with a higher drop precedence value.

 

这种方法仍然比任何类型的资源预留方案更容易实现,但提供了相当大的灵活性。在内部 DiffServ 节点内,可以单独处理来自四个类别的流量,并为四个类别分配不同数量的资源(缓冲区空间、数据速率)。在每个类别中,数据包根据丢弃优先级进行处理。因此,正如 RFC 2597 所指出的,IP 数据包的转发保证级别取决于以下因素:

This approach is still simpler to implement than any sort of resource reservation scheme but provides considerable flexibility. Within an interior DiffServ node, traffic from the four classes can be treated separately, with different amounts of resources (buffer space, data rate) assigned to the four classes. Within each class, packets are handled based on drop precedence. Therefore, as RFC 2597 points out, the level of forwarding assurance of an IP packet depends on the following:

 

图像报文所属的AF类分配了多少转发资源。

How many forwarding resources have been allocated to the AF class to which the packet belongs.

 

图像AF 类的当前负载。

The current load of the AF class.

 

图像如果类内发生拥塞,则数据包的丢弃优先级。

In case of congestion within the class, the drop precedence of the packet.

 

RFC 2597 不强制要求内部节点有任何机制来管理 AF 流量。它确实引用了 RED 算法作为管理拥塞的一种可能方法。

RFC 2597 does not mandate any mechanisms at the interior nodes to manage the AF traffic. It does reference the RED algorithm as a possible way of managing congestion.

 

图 10.6的 c 部分显示了 DSField 中 AF PHB 的推荐代码点。

Part c of Figure 10.6 shows the recommended codepoints for AF PHB in the DSField.

 
类选择器 PHB
 

保留 xxx000 形式的代码点,以提供与 IPv4 优先级服务的向后兼容性。IPv4 服务类型 (TOS) 字段由 DSField 和 ECN 字段代替(图 10.3a),包括两个子字段:3 位优先子字段和 4 位 TOS 子字段。这些子字段具有互补的功能。TOS 子字段为 IP 实体(在源或路由器中)选择此数据报的下一跳提供指导,优先级子字段提供有关此数据报的路由器资源的相对分配的指导。

Codepoints of the form xxx000 are reserved to provide backward compatibility with the IPv4 precedence service. The IPv4 type of service (TOS) field, which has been replaced by the DSField and ECN field (Figure 10.3a), includes two subfields: a 3-bit precedence subfield and a 4-bit TOS subfield. These subfields serve complementary functions. The TOS subfield provides guidance to the IP entity (in the source or router) on selecting the next hop for this datagram, and the precedence subfield provides guidance about the relative allocation of router resources for this datagram.

 

优先级字段被设置为指示与数据报关联的紧急程度或优先级。如果路由器支持优先级子字段,则有三种响应方法:

The precedence field is set to indicate the degree of urgency or priority to be associated with a datagram. If a router supports the precedence subfield, there are three approaches to responding:

 

图像 路由选择:如果路由器具有较小的路由队列,或者该路由上的下一跳支持网络优先级或优先级(例如,令牌环网络支持优先级),则可以选择特定路由。

Route selection: A particular route may be selected if the router has a smaller queue for that route or if the next hop on that route supports network precedence or priority (for example, a Token Ring network supports priority).

 

图像 网络服务:如果下一跳的网络支持优先级,则调用该服务。

Network service: If the network on the next hop supports precedence, that service is invoked.

 

图像 排队规则:路由器可以使用优先级来影响队列的处理方式。例如,路由器可以在队列中对优先级较高的数据报给予优先处理。

Queuing discipline: A router may use precedence to affect how queues are handled. For example, a router may give preferential treatment in queues to datagrams with higher precedence.

 

RFC 1812,IP 版本 4 路由器的要求,提供了排队规则的建议,分为两类:

RFC 1812, Requirements for IP Version 4 Routers, provides recommendations for queuing discipline that fall into two categories:

 

图像队列服务:

Queue service:

 

路由器应该实现优先顺序的队列服务。优先顺序队列服务意味着当选择在(逻辑)链路上输出数据包时,将发送已在该链路上排队的最高优先级数据包。

Routers should implement precedence-ordered queue service. Precedence-ordered queue service means that when a packet is selected for output on a (logical) link, the packet of highest precedence that has been queued for that link is sent.

 

任何路由器都可以实现其他基于策略的吞吐量管理过程,这些过程会导致严格优先级排序以外的结果,但必须配置以抑制它们(即使用严格排序)。

Any router may implement other policy-based throughput management procedures that result in other than strict precedence ordering, but it must be configurable to suppress them (that is, use strict ordering).

 

图像拥塞控制。当路由器收到超出其存储容量的数据包时,它必须丢弃该数据包或其他一些数据包:

Congestion control. When a router receives a packet beyond its storage capacity, it must discard it or some other packet or packets:

 

路由器可能会丢弃它刚刚收到的数据包;这是最简单的策略,但不是最好的策略。

A router may discard the packet it has just received; this is the simplest but not the best policy.

 

理想情况下,路由器应从最严重滥用链路的会话之一中选择数据包,前提是适用的 QoS 策略允许这样做。在使用 FIFO 队列的数据报环境中,建议的策略是丢弃从队列中随机选择的数据包。使用公平队列的路由器中的等效算法是从最长队列中丢弃。路由器可以使用这些算法来确定丢弃哪个数据包。

Ideally, the router should select a packet from one of the sessions most heavily abusing the link, given that the applicable QoS policy permits this. A recommended policy in datagram environments using FIFO queues is to discard a packet randomly selected from the queue. An equivalent algorithm in routers using fair queues is to discard from the longest queue. A router may use these algorithms to determine which packet to discard.

 

如果实现并启用了优先顺序队列服务,则路由器不得丢弃 IP 优先级高于未丢弃数据包的数据包。

If precedence-ordered queue service is implemented and enabled, the router must not discard a packet whose IP precedence is higher than that of a packet that is not discarded.

 

路由器可以保护其 IP 标头请求最大可靠性 TOS 的数据包,除非这样做会违反先前的规则。

A router may protect packets whose IP headers request the maximize reliability TOS, except where doing so would be in violation of the previous rule.

 

路由器可以保护分段的 IP 数据包,其理论依据是,丢弃数据报的片段可能会导致源重新传输数据报的所有片段,从而增加拥塞。

A router may protect fragmented IP packets, on the theory that dropping a fragment of a datagram may increase congestion by causing all fragments of the datagram to be retransmitted by the source.

 

为了帮助防止路由扰动或管理功能中断,路由器可以保护用于路由控制、链路控制或网络管理的数据包不被丢弃。专用路由器(即,不是通用主机、终端服务器等的路由器)可以通过保护源或目的地是路由器本身的数据包来实现此规则的近似值。

To help prevent routing perturbations or disruption of management functions, the router may protect packets used for routing control, link control, or network management from being discarded. Dedicated routers (that is, routers that are not also general purpose hosts, terminal servers, and so on) can achieve an approximation of this rule by protecting packets whose source or destination is the router itself.

 

类选择器 PHB 应该提供至少与 IPv4 优先级功能等效的服务。

The class selector PHB should provide a service that at minimum is equivalent to that of the IPv4 precedence functionality.

 

10.5 服务水平协议

10.5 Service Level Agreements

 

服务级别协议 (SLA) 是网络提供商和客户之间的合同,定义了要提供的服务的特定方面。该定义是正式的,通常定义必须满足的定量阈值。SLA 通常包括以下信息:

A service level agreement (SLA) is a contract between a network provider and a customer that defines specific aspects of the service that is to be provided. The definition is formal and typically defines quantitative thresholds that must be met. An SLA typically includes the following information:

 

图像 对所提供服务性质的描述:基本服务是企业位置的基于 IP 的网络连接以及对互联网的访问。该服务可能包括附加功能,例如网络托管、域名服务器维护以及操作和维护任务。

A description of the nature of service to be provided: A basic service would be IP-based network connectivity of enterprise locations plus access to the Internet. The service may include additional functions such as web hosting, maintenance of domain name servers, and operation and maintenance tasks.

 

图像 服务的预期性能水平:SLA 定义了许多指标,例如延迟、可靠性和可用性,以及数字阈值。

The expected performance level of the service: The SLA defines a number of metrics, such as delay, reliability, and availability, with numerical thresholds.

 

图像 监视和报告服务水平的过程:这描述了如何测量和报告性能水平。

The process for monitoring and reporting the service level: This describes how performance levels are measured and reported.

 

图 10.7显示了适合 SLA 的典型配置。在这种情况下,网络服务提供商维护基于 IP 的网络。客户在不同地点拥有多个专用网络(例如 LAN)。客户网络通过接入点的接入路由器连接到提供商。SLA 规定提供商网络中的接入路由器之间的流量的服务和性能级别。此外,提供商网络链接到互联网,从而为企业提供互联网接入。例如,Cogent Communications为其骨干网络提供的标准SLA包括以下几项:

Figure 10.7 shows a typical configuration that lends itself to an SLA. In this case, a network service provider maintains an IP-based network. A customer has a number of private networks (for example, LANs) at various sites. Customer networks are connected to the provider via access routers at the access points. The SLA dictates service and performance levels for traffic between access routers across the provider network. In addition, the provider network links to the Internet and thus provides Internet access for the enterprise. For example, for the standard SLA provided by Cogent Communications for its backbone networks includes the following items:

 
图像

图 10.7服务级别协议的典型框架

FIGURE 10.7 Typical Framework for Service Level Agreement

 

图像 可用性:100% 可用性。

Availability: 100 percent availability.

 

图像 延迟(延迟):以下区域的骨干集线器之间通过 Cogent 网络传输的数据包的月平均网络延迟如下所示:

Latency (delay): Monthly average network latency for packets carried over the Cogent Network between backbone hubs for the following regions is as specified here:

 

北美内部:45 毫秒或更短

Intra-North America: 45 milliseconds or less

 

欧洲内部:35 毫秒或更短

Intra-Europe: 35 milliseconds or less

 

纽约到伦敦(跨大西洋):85 毫秒或更短

New York to London (transatlantic): 85 milliseconds or less

 

洛杉矶至东京(跨太平洋):120 毫秒或更短

Los Angeles to Tokyo (transpacific): 120 milliseconds or less

 

网络延迟(或往返时间)定义为 IP 数据包在 Cogent 网络上上述指定区域内的骨干集线器之间进行往返所需的平均时间。Cogent 通过持续监控骨干集线器采样之间的往返时间来监控 Cogent 网络内的聚合延迟。

Network latency (or round-trip time) is defined as the average time taken for an IP packet to make a round-trip between backbone hubs within the regions specified above on the Cogent Network. Cogent monitors aggregate latency within the Cogent Network by monitoring round-trip times between a sampling of backbone hubs on an ongoing basis.

 

图像网络数据包传送(可靠性):平均每月数据包丢失不大于 0.1%(或成功传送 99.9% 的数据包)。数据包丢失定义为 Cogent 网络上骨干集线器之间丢弃的数据包百分比。

Network packet delivery (reliability): Average monthly packet loss no greater than 0.1 percent (or successful delivery of 99.9 percent of packets). Packet loss is defined as the percentage of packets that are dropped between backbone hubs on the Cogent Network.

 

可以为整个网络服务定义SLA。此外,还可以为运营商网络上可用的特定端到端服务(例如虚拟专用网络或差异化服务)定义 SLA。

An SLA can be defined for the overall network service. In addition, SLAs can be defined for specific end-to-end services available across the carrier’s network, such as a virtual private network, or differentiated services.

 

10.6 IP性能指标

10.6 IP Performance Metrics

 

IP 性能指标工作组 (IPPM) 由 IETF 授权,负责制定与互联网数据传输的质量、性能和可靠性相关的标准指标。有两个趋势决定了对这种标准化测量方案的需求:

The IP Performance Metrics Working Group (IPPM) is chartered by IETF to develop standard metrics that relate to the quality, performance, and reliability of Internet data delivery. Two trends dictate the need for such a standardized measurement scheme:

 

图像互联网已经并继续以惊人的速度增长。其拓扑结构日益复杂。随着其容量的增长,互联网上的负载以更快的速度增长。同样,私有互联网(例如企业内部网和外部网)在复杂性、容量和负载方面也表现出类似的增长。这些网络的庞大规模使得确定质量、性能和可靠性特征变得困难。

The Internet has grown and continues to grow at a dramatic rate. Its topology is increasingly complex. As its capacity has grown, the load on the Internet has grown at an even faster rate. Similarly, private internets, such as corporate intranets and extranets, have exhibited similar growth in complexity, capacity, and load. The sheer scale of these networks makes it difficult to determine quality, performance, and reliability characteristics.

 

图像互联网通过不断扩大的应用范围为大量且不断增长的商业和个人用户提供服务。同样,专用网络的用户群和应用范围也在不断增长。其中一些应用程序对特定的 QoS 参数敏感,导致用户需要准确且易于理解的性能指标。

The Internet serves a large and growing number of commercial and personal users across an expanding spectrum of applications. Similarly, private networks are growing in terms of user base and range of applications. Some of these applications are sensitive to particular QoS parameters, leading users to require accurate and understandable performance metrics.

 

一套标准化且有效的指标使用户和服务提供商能够对互联网和私人互联网的性能有准确的共识。测量数据可用于多种目的,包括:

A standardized and effective set of metrics enables users and service providers to have an accurate common understanding of the performance of the Internet and private internets. Measurement data is useful for a variety of purposes, including the following:

 

图像支持大型复杂互联网的容量规划和故障排除。

Supporting capacity planning and troubleshooting of large complex internets.

 

图像通过在服务提供商之间提供统一的比较指标来鼓励竞争。

Encouraging competition by providing uniform comparison metrics across service providers.

 

图像支持协议设计、拥塞控制和QoS等领域的互联网研究。

Supporting Internet research in such areas as protocol design, congestion control, and QoS.

 

图像SLA 的验证。

Verification of SLAs.

 

表 10.2列出了撰写本文时 RFC 中定义的指标。表 10.2的 a 部分列出了根据抽样技术得出估计值的指标。

Table 10.2 lists the metrics that have been defined in RFCs at the time of this writing. Section a of Table 10.2 lists those metrics which result in a value estimated based on a sampling technique.

 
图像
图像

Src = 主机的 IP 地址

Src = IP address of a host

 

Dst = 主机的 IP 地址

Dst = IP address of a host

 

表 10.2 IP 性能指标

TABLE 10.2 IP Performance Metrics

 

这些指标分三个阶段定义:

These metrics are defined in three stages:

 

图像 单例指标:对于给定的性能指标可以测量的最基本的或原子的数量。例如,对于延迟度量,单例度量是单个数据包经历的延迟。

Singleton metric: The most elementary, or atomic, quantity that can be measured for a given performance metric. For example, for a delay metric, a singleton metric is the delay experienced by a single packet.

 

图像 示例指标:在给定时间段内进行的单例测量的集合。例如,对于延迟度量,样本度量是在一小时期间进行的所有测量的一组延迟值。

Sample metric: A collection of singleton measurements taken during a given time period. For example, for a delay metric, a sample metric is the set of delay values for all the measurements taken during a one-hour period.

 

图像 统计指标:通过计算样本上的单例指标定义的值的一些统计数据,从给定样本指标得出的值。例如,样本上所有单向延迟值的平均值可以定义为统计度量。

Statistical metric: A value derived from a given sample metric by computing some statistic of the values defined by the singleton metric on the sample. For example, the mean of all the one-way delay values on a sample might be defined as a statistical metric.

 

测量技术可以是主动的或被动的。主动技术需要将数据包注入网络,其唯一目的是进行测量。这种方法有几个缺点。网络负载增加。这反过来又会影响期望的结果。例如,在负载较重的网络上,测量数据包的注入会增加网络延迟,使得测量到的延迟大于没有测量流量时的延迟。此外,主动测量策略可能会被滥用于伪装成合法测量活动的拒绝服务攻击。被动技术观察并从现有流量中提取指标。这种方法可能会将互联网流量的内容暴露给非预期的接收者,从而产生安全和隐私问题。到目前为止,IPPM工作组定义的指标均已生效。

The measurement technique can be either active or passive. Active techniques require injecting packets into the network for the sole purpose of measurement. There are several drawbacks to this approach. The load on the network is increased. This, in turn, can affect the desired result. For example, on a heavily loaded network, the injection of measurement packets can increase network delay, so that the measured delay is greater than it would be without the measurement traffic. In addition, an active measurement policy can be abused for denial-of-service attacks disguised as legitimate measurement activity. Passive techniques observe and extract metrics from existing traffic. This approach can expose the contents of Internet traffic to unintended recipients, creating security and privacy concerns. So far, the metrics defined by the IPPM working group are all active.

 

对于样本指标,最简单的技术是以固定时间间隔进行测量,称为定期采样。这种方法存在几个问题。首先,如果网络上的流量表现出周期性行为,且周期是采样周期的整数倍(反之亦然),则相关效应可能会导致值不准确。

For the sample metrics, the simplest technique is to take measurements at fixed time intervals, known as periodic sampling. There are several problems with this approach. First, if the traffic on the network exhibits periodic behavior, with a period that is an integer multiple of the sampling period (or vice versa), correlation effects may result in inaccurate values.

 

此外,测量行为可能会扰乱正在测量的内容(例如,将测量流量注入网络会改变网络的拥塞程度),并且重复的周期性扰动可以使网络进入同步状态,从而极大地放大单​​独可能发生的情况影响较小。因此,RFC 2330(IP 性能指标框架)建议采用泊松采样。此方法使用泊松分布生成具有所需平均值的随机时间间隔。

Also, the act of measurement can perturb what is being measured (for example, injecting measurement traffic into a network alters the congestion level of the network), and repeated periodic perturbations can drive a network into a state of synchronization, greatly magnifying what might individually be minor effects. Accordingly, RFC 2330, Framework for IP Performance Metrics, recommends Poisson sampling. This method uses a Poisson distribution to generate random time intervals with the desired mean value.

 

表 10.2 a 部分列出的大多数统计指标都是不言自明的。百分位度量定义如下:第x个百分位是一个值y,使得测量值的x % ≥ y。一组测量值的x的倒数百分位数是所有值 ≤ x的百分比。

Most of the statistical metrics listed in part a of Table 10.2 are self-explanatory. The percentile metric is defined as follows: The xth percentile is a value y such that x% of measurements ≥ y. The inverse percentile of x for a set of measurements is the percentage of all values ≤ x.

 

图 10.8说明了数据包延迟变化度量。该指标用于测量网络中数据包延迟的抖动或变化。单例度量是通过选择两个数据包测量并测量两个延迟的差异来定义的。统计测量利用延迟的绝对值。

Figure 10.8 illustrates the packet delay variation metric. This metric is used to measure jitter, or variability, in the delay of packets traversing the network. The singleton metric is defined by selecting two packet measurements and measuring the difference in the two delays. The statistical measures make use of the absolute values of the delays.

 
图像

图 10.8定义数据包延迟变化的模型

FIGURE 10.8 Model for Defining Packet Delay Variation

 

表 10.2的 b 部分列出了两个未通过统计定义的指标。连接性涉及网络是否维护传输层连接的问题。当前规范 (RFC 2678) 没有详细说明具体的样本和统计指标,但提供了一个可以定义此类指标的框架。连接性取决于在指定时间限制内通过连接传送数据包的能力。另一个指标,即批量传输容量,也有类似的规定(RFC 3148),没有样本和统计指标,但开始解决通过实施各种拥塞控制机制来测量网络服务传输容量的问题。

Section b of Table 10.2 lists two metrics that are not defined statistically. Connectivity deals with the issue of whether a transport-level connection is maintained by the network. The current specification (RFC 2678) does not detail specific sample and statistical metrics but provides a framework within which such metrics could be defined. Connectivity is determined by the ability to deliver a packet across a connection within a specified time limit. The other metric, bulk transfer capacity, is similarly specified (RFC 3148) without sample and statistical metrics but begins to address the issue of measuring the transfer capacity of a network service with the implementation of various congestion control mechanisms.

 

10.7 OpenFlow QoS 支持

10.7 OpenFlow QoS Support

 

OpenFlow 提供了两种在数据平面交换机中实现 QoS 的工具。接下来的部分将依次研究其中的每一个。

OpenFlow offers two tools for implementing QoS in data plane switches. The sections that follow examine each of these in turn.

 

队列结构

Queue Structures

 

OpenFlow 交换机通过简单的排队机制提供有限的 QoS 支持。一个或多个队列可以与一个端口关联。队列支持提供最小数据速率保证和最大数据速率限制的能力。队列配置在 OpenFlow 协议之外进行,可以通过命令行工具或通过外部专用配置协议。

An OpenFlow switch provides limited QoS support through a simple queuing mechanism. One or more queues can be associated with a port. Queues support the ability to provide minimum data rate guarantees and maximum data rate limits. Queue configuration takes place outside the OpenFlow protocol, either through a command-line tool or through an external dedicated configuration protocol.

 

数据结构定义每个队列。数据结构包括唯一标识符、该队列附加到的端口、保证的最小数据速率和最大数据速率。与每个队列关联的计数器捕获传输的字节和数据包的数量、由于溢出而丢弃的数据包的数量以及队列安装在交换机中所花费的时间。

A data structure defines each queue. The data structure includes a unique identifier, port this queue is attached to, minimum data rate guaranteed, and maximum data rate. Counters associated with each queue capture the number of transmitted bytes and packets, number of packets dropped because of overrun, and the elapsed time the queue has been installed in the switch.

 

OpenFlow Set-Queue 操作用于将流条目映射到已配置的端口。因此,当到达的数据包与流表条目匹配时,数据包被定向到给定端口上的给定队列。

The OpenFlow Set-Queue action is used to map a flow entry to an already configured port. Thus, when an arriving packet matches a flow table entry, the packet is directed to a given queue on a given port.

 

队列的行为超出了 OpenFlow 的范围。因此,尽管 OpenFlow 提供了一种定义队列、将数据包流定向到特定队列以及监视每个队列上的流量的方法,但任何 QoS 功能都必须在 OpenFlow 外部实现。

The behavior of the queue is determined beyond the scope of OpenFlow. Thus, although OpenFlow provides a way to define queues, direct packet flows to specific queues, and monitor traffic on each queue, any QoS feature must be implemented outside of OpenFlow.

 

Meters

 

计量器是一种开关元件,可以测量和控制数据包或字节的速率。与每个仪表相关联的是一组一个或多个频带。如果数据包或字节速率超过预定义阈值,仪表就会触发频段。频带可能会丢弃数据包,在这种情况下,它被称为速率限制器。其他 QoS 和管制机制可以使用计量带进行设计。每个仪表由交换机仪表表中的一个条目定义。每个仪表都有一个唯一的标识符。仪表不附加到队列或端口;相反,可以通过来自流表条目的指令来调用计量器。多个流条目可以指向同一个仪表。

A meter is a switch element that can measure and control the rate of packets or bytes. Associated with each meter is a set of one or more bands. If the packet or byte rate exceeds a predefined threshold, the meter triggers the band. The band may drop the packet, in which case it is called a rate limiter. Other QoS and policing mechanisms can be designed using meter bands. Each meter is defined by an entry in the meter table for a switch. Each meter has a unique identifier. Meters are not attached to a queue or a port; rather, a meter can be invoked by an instruction from a flow table entry. Multiple flow entries can point to the same meter.

 

有了这个简短的概述,让我们看看仪表的详细信息。计量器测量分配给它的数据包的速率,并能够控制这些数据包的速率。仪表测量并控制其所连接的所有流条目的聚合速率。多个计量器可以在同一个表中使用,但以独占方式(不相交的流条目集)。通过在连续的流表中使用多个计量器,可以对同一组数据包使用多个计量器。

With that brief overview, let’s look at the details of meters. A meter measures the rate of packets assigned to it and enables controlling the rate of those packets. The meter measures and controls the rate of the aggregate of all flow entries to which it is attached. Multiple meters can be used in the same table, but in an exclusive way (disjoint set of flow entries). Multiple meters can be used on the same set of packets by using them in successive flow tables.

 

图10.9显示了计量表条目的结构以及它与流表条目的关系。

Figure 10.9 shows the structure of a meter table entry and how it is related to a flow table entry.

 
图像

图 10.9 OpenFlow QoS 相关格式

FIGURE 10.9 OpenFlow QoS-Related Formats

 

流表条目可以包括meter以ameter_id作为参数的指令。与该流条目匹配的任何数据包都会被定向到相应的仪表。在计量表中,每个条目包含三个主要字段:

A flow table entry may include a meter instruction with a meter_id as an argument. Any packet that matches that flow entry is directed to the corresponding meter. Within the meter table, each entry consists of three main fields:

 

图像 电表标识符:唯一标识电表的 32 位无符号整数。

Meter identifier: A 32-bit unsigned integer uniquely identifying the meter.

 

图像 米带:一个或多个米带的无序列表,其中每个米带指定该带的速率以及处理数据包的方式。

Meter bands: An unordered list of one or more meter bands, where each meter band specifies the rate of the band and the way to process the packet.

 

图像 计数器:当数据包被仪表处理时更新。这些是聚合计数器。也就是说,计数器统计所有流的总流量,而不是按流细分流量。

Counters: Updated when packets are processed by a meter. These are aggregate counters. That is, the counters count the total traffic of all flows, and do not break the traffic down by flow.

 

每个频段具有以下结构:

Each band has the following structure:

 

图像 乐队类型: dropdscp remark

Band type: drop or dscp remark.

 

图像 速率:由仪表用来选择仪表频段,定义频段可以应用的最低速率。

Rate: Used by the meter to select the meter band, defines the lowest rate at which the band can apply.

 

图像 计数器:当数据包由米带处理时更新。

Counters: Updated when packets are processed by a meter band.

 

图像 类型特定参数:某些带类型可能有可选参数。目前,唯一的可选参数是dscp remark波段类型,指定优先级下降的量。

Type specific arguments: Some band types may have optional arguments. Currently, the only optional argument is for the dscp remark band type, specifying the amount of drop in precedence.

 

如果通过仪表的数据包速率或字节速率超过预定义阈值,仪表将触发仪表频带。当超出频段的速率时,drop 类型的频段将丢弃数据包。这可用于定义速率限制器带。Band 类型dscp remark会增加数据包 IP 标头中 DS 代码点字段中的丢弃优先级。这可用于定义简单的 DiffServ 监管器。

The meter triggers a meter band if the packet rate or byte rate passing through the meter exceed a predefined threshold. A band of type drop drops packets when the band’s rate is exceeded. This can be used to define a rate limiter band. A band of type dscp remark increases the drop precedence in the DS codepoint field in the IP header of the packet. This can be used to define a simple DiffServ policer.

 

图 10.10来自OpenFlow 交换机规范(版本 1.5.1,2015 年 3 月),说明了使用 OpenFlow 在 DSCP 上设置、修改和匹配。该图显示了一台交换机中的三个流表。一个流表中的多个流条目可以使用同一个Meter。同一个流表中的不同表项可以指向不同的计量器,并且流表项不需要使用计量器。通过在流表中使用不同的计量器,可以独立计量不相交的流条目集。当在连续流表中使用计量器时,数据包可能会经过多个计量器,在每个流表处,匹配的流条目可能会将其定向到一个计量器。黑色箭头线表示一个流通过流表的进度。图10.10显示了当流通过网络时如何对给定流使用多个仪表,并且 DCSP 值根据仪表观察到的流量状况而变化。

Figure 10.10, from the OpenFlow Switch Specification (Version 1.5.1, March 2015), illustrates the use of OpenFlow to set, modify, and match on DSCPs. The figure shows three flow tables in one switch. Multiple flow entries in one flow table may use the same meter. Different entries in the same flow table may point to different meters, and a flow entry need not use a meter. By using different meters in a flow table, disjoint set of flow entries can be metered independently. Packets may go through multiple meters when using meters in successive flow tables, at each flow table the matching flow entry may direct it to one meter. The black arrowed lines indicate the progress of one flow through the flow tables. Figure 10.10 shows how multiple meters can be used for a given flow as the flow passes through the network, with the DCSP value changing based on traffic conditions observed by the meters.

 
图像

图 10.10 DSCP 计量

FIGURE 10.10 DSCP Metering

 

10.8 关键术语

10.8 Key Terms

 

完成本章后,您应该能够定义以下术语。

After completing this chapter, you should be able to define the following terms.

 

最大努力

best effort

 

差异化服务

differentiated services

 

DS 代码点

DS codepoint

 

弹性流量

elastic traffic

 

交通缺乏弹性

inelastic traffic

 

集成服务架构 (ISA)

Integrated Services Architecture (ISA)

 

IP 性能指标

IP performance metrics

 

抖动

jitter

 

开放式流量计

OpenFlow meter

 

服务质量(QoS)

quality of service (QoS)

 

服务水平协议 (SLA)

service level agreements (SLA)

 

10.9 参考文献

10.9 References

 

CISC15思科系统。网络互联技术手册。2015 年 7 月。http://docwiki.cisco.com/wiki/Internetworking_Technology_Handbook

CISC15: Cisco Systems. Internetworking Technology Handbook. July 2015. http://docwiki.cisco.com/wiki/Internetworking_Technology_Handbook

 

CLAR98 Clark, D. 和 Fang, W.“尽力而为数据包传送服务的显式分配”。IEEE/ACM 网络交易,1998 年 8 月。

CLAR98: Clark, D., and Fang, W. “Explicit Allocation of Best-Effort Packet Delivery Service.” IEEE/ACM Transactions on Networking, August 1998.

 

第 11 章QoE:用户体验质量

Chapter 11. QoE: User Quality of Experience

 

弗洛伦斯·阿博玛

英国天空广播公司

By Florence Agboma

British Sky Broadcasting

 

当然,区分客观观点和主观观点很重要,但我们不能假装不关心后者。将主观问题视为在科学上不雅而予以驳斥源于对超然性的过度热情。客观观点在物理科学和严格的行为主义心理学中占主导地位,它来自于将观察者视为“在”世界中,世界就在他周围,他可以“通过”眼睛看到它。主观观点来自于将世界视为观察者的头脑,将现实视为心理体验。

It is, of course, important to distinguish between the objective and subjective views, but we cannot pretend the latter are of no concern. Dismissal of subjective matters as being scientifically indecent springs from an excessive zeal for detachment. The objective view, which is predominant in the physical sciences and in strict behaviorist psychology, comes from regarding the observer as being “in” the world, which is out there around him and he can see it “through” his eyes. The subjective view comes from regarding the world as being in the mind of the observer, reality as mental experience.

 

—— 《论人类沟通》,科林·切里,1957 年

On Human Communication, Colin Cherry, 1957

 

本章目标 学习完本章后,您应该能够

 

图像解释 QoE 的动机。

 

图像定义 QoE。

 

图像解释可能影响 QoE 的因素。

 

图像概述如何衡量 QoE,包括讨论主观评估和客观评估之间的差异。

 

图像讨论 QoE 的各个应用领域。

 

Chapter Objectives: After studying this chapter, you should be able to

 

Explain the motivations for QoE.

 

Define QoE.

 

Explain the factors that could influence QoE.

 

Present an overview of how QoE can be measured, including a discussion of the differences between subjective and objective assessment.

 

Discuss the various application areas of QoE.

 
 

本章通过提供背景信息以及体验质量 (QoE) 的出现和使用动机来讨论体验质量 (QoE)。它还讨论了 QoE 的主要特征及其影响因素。主要关注点是多媒体通信系统中的 QoE,因为不良的网络性能通常会严重影响用户的体验。

This chapter discusses quality of experience (QoE) by providing background information and motivations for its emergence and use. It also discusses the key features of QoE and the factors influencing it. The primary focus is that of QoE within the context of multimedia communication systems, given that bad network performance often highly affects the user’s experience.

 

11.1 为什么选择体验质量?

11.1 Why QoE?

 

在公共互联网出现之前,视频内容交付是内容发行商的垄断,内容发行商通过有线和卫星电视运营商构建和管理的封闭视频交付系统来交付其产品和服务。运营商拥有并运营整个分销链以及家庭中的视频接收设备(机顶盒)。这些封闭的网络和设备处于这些运营商的完全控制之下,并经过专门设计、部署、配置和优化,以便为消费者提供高质量的视频。

Before the advent of the public Internet, video content delivery was a monopoly of content publishers who delivered their products and services over closed video delivery systems built and managed by cable and satellite TV operators. The operators owned and operated the entire distribution chain as well as the video reception devices (set-top boxes) in the home. These closed networks and devices were under the full control of these operators and were designed, deployed, provisioned, and optimized specifically to deliver high-quality video to consumers.

 

图 11.1显示了典型卫星电视端到端传输链的抽象。然而,实际上,此类内容交付和分发链是由非常复杂的应用程序和系统集成组成的。

Figure 11.1 shows an abstraction of the typical satellite TV end-to-end delivery chain. In practice, however, such content delivery and distribution chains are made up of very complex integrations of applications and systems.

 
图像

图 11.1使用典型卫星电视分发网络的内容分发网络的抽象

FIGURE 11.1 An Abstraction of a Content Distribution Network Using a Typical Satellite TV Distribution Network

 

如图所示,流量(在广播中意味着“节目素材”)调度系统通过播放系统提供音频和视频 (A/V) 内容,以将其编码并聚合到单个 MPEG 传输流 (TS) 中。传输流与节目特定信息 (PSI) 一起通过卫星传输到订户的机顶盒 (STB)。

As the illustration shows, the traffic (which in broadcasting means “program material”) scheduling system provides audio and video (A/V) content via the play-out system to be encoded and aggregated into a single MPEG transport stream (TS). Together with the program specific information (PSI), the transport stream is transmitted to the subscriber’s set-top box (STB) via a satellite.

 

在线视频内容交付

Online Video Content Delivery

 

通过互联网传输视频采用了不同的方法。由于构成互联网的众多子网络和设备位于不同的地理位置,视频流通过穿越未知的区域到达用户,如图11.2所示。在这种安排下,保证良好的网络性能往往是一项非常具有挑战性的任务。

Video delivery over the Internet takes a different approach. Because numerous subnetworks and devices that constitute the Internet are situated in varied geographical locations, video streams reach the user by traversing through uncharted territories, as illustrated in Figure 11.2. With this arrangement, the guaranteeing of a good network performance is often a very challenging task.

 
图像

图 11.2使用公共互联网分发网络的内容分发网络的抽象

FIGURE 11.2 An Abstraction of a Content Distribution Network Using the Public Internet Distribution Network

 

互联网服务提供商 (ISP) 并不拥有整个内容分发网络,质量下降的风险很高。接入网络可能由同轴电缆、铜线、光纤或无线(固定和移动)技术组成。数据包延迟、抖动和丢失等问题可能会困扰此类网络。

Internet service providers (ISPs) do not own the entire content distribution network, and the risk of quality degradations is high. The access network may consist of coax, copper, fiber, or wireless (fixed and mobile) technology. Issues such as packet delay, jitter, and loss may plague such networks.

 

过去几十年来,互联网的发展和扩展导致网络视频流服务的可用性同样大幅增长。网络接入设备的开发也取得了巨大的技术进步。

The growth and expansion of the Internet over the past couple of decades has led to an equally huge growth in the availability of network-enabled video streaming services. Giant technological strides have also been made in the development of network access devices.

 

随着这些服务目前的流行,提供商需要确保用户体验与用户认为的参考标准相当。用户的标准通常受到旧技术(即有线和卫星电视运营商提供的技术)典型的高视频质量体验的影响。用户期望也会受到目前只能由广播电视提供的功能的影响。这些功能包括以下内容:

With the current popularity of these services, providers need to ensure that user experiences are comparable to what the users would consider to be their reference standards. Users’ standards are often influenced by the typically high video quality experience with the older technology, that is, those offered by the cable and satellite TV operators. User expectations can also be influenced by capabilities that currently can only be adequately offered by broadcast TV. These capabilities include the following:

 

图像 特技模式功能,这是视频流系统的功能,模仿快进和快退操作期间给出的视觉反馈。

Trick mode functionalities, which are features of video streaming systems that mimic visual feedback given during fast-forward and rewind operations.

 

图像 跨多个屏幕的上下文体验,包括在一个屏幕上暂停观看并切换到另一个屏幕的能力,从而让用户随时随地享受视频体验。

Contextual experiences across multiple screens, which includes the ability to pause viewing on one screen and switch to another, thus letting users take the video experience with them on the go.

 

为了管理在线服务的用户体验,服务质量 (QoS) 框架成为在提供这些服务的交付系统中管理网络流量时采用的一组技术和工具。QoS的目的是管理网络的性能并为网络流量提供性能保证。QoS 能够测量网络参数并检测不断变化的网络状况(例如拥塞、带宽可用性),旨在实施资源管理和流量优先级等稳定策略。

To manage user experiences for online services, quality of service (QoS) frameworks became the adopted set of technologies and tools employed in managing network traffic in the delivery systems that provide these services. The aim of QoS is to manage the performance of networks and to provide performance guarantees to network traffic. QoS enables the measurement of network parameters, and the detection of changing network conditions (for example, congestion, availability of bandwidth), with the aim to implement stabilization strategies such as resource management and traffic prioritization.

 

然而,现在人们越来越认识到,QoS 流程本身不足以提供性能保证,因为它们没有考虑用户对网络性能和服务质量的感知。正是这种认识导致了 QoE 学科的兴起。

There is now a growing realization, however, that QoS processes by themselves are not fully adequate in providing performance guarantees, because they do not take into account the user perception of network performance and service quality. It is this realization that has led to the emerging discipline of QoE.

 

不同类型接入设备的激增进一步凸显了 QoE 框架的重要性。例如,在 PDA 上观看新闻剪辑的用户的 QoE 很可能与在 3G 手机上观看相同新闻剪辑的另一个用户不同。这是因为这两个终端具有不同的显示屏、带宽能力、帧速率、编解码器和处理能力。因此,向这两种终端类型传送多媒体内容或服务,而不仔细考虑用户对这些终端类型的质量期望或要求,可能会导致服务过度供应和网络资源浪费。

The proliferation of different types of access devices further highlights the importance of QoE frameworks. As an illustration, the QoE for a user watching a news clip on a PDA will most likely differ from another user watching that same news clip on a 3G mobile phone. This is because the two terminals come with different display screens, bandwidth capabilities, frame rates, codecs, and processing power. Therefore, delivering multimedia content or services to these two terminal types, without carefully thinking about the users’ quality expectations or requirements for these terminal types, might lead to service overprovisioning and network resource wastage.

 

通俗地说,QoE 是指用户对特定服务的感知。QoE 需要成为网络、内容交付系统和其他工程流程的设计和管理期间采用的中心指标之一。这是因为它是指从用户的角度在最终用户设备上测量的服务级别端到端性能的度量。

Informally, QoE refers to the user perception of a particular service. QoE needs to be one of the central metrics employed during the design and management of networks, content delivery systems, and other engineering processes. This is because it refers to a measure of the end-to-end performance at the service level from the user’s perspective as measured at the end user devices.

 

图像 请参阅第 11.4 节体验质量的定义

See Section 11.4, “Definition of Quality of Experience

 

11.2 QoE考虑不足导致业务失败

11.2 Service Failures Due to Inadequate QoE Considerations

 

立体 3D 电视服务经常被认为是一项商业失败的服务的典型例子,因为它的 QoE 评级非常差。

The stereoscopic 3D TV service is often cited as a prime example of a service that was a spectacular commercial failure because it had very poor QoE ratings.

 

2010 年,迪士尼、Foxtel、BBC 和 Sky 等广播公司开始积极向其客户提供 3D 内容交付服务,作为一种优质服务体验。事实上,这些广播公司都推出了自己专用的 3D 电视频道。五年之内,除了天空电视台之外,所有这些公司都不得不终止运营。

In 2010, broadcasters such as Disney, Foxtel, BBC, and Sky began actively making 3D content delivery available as a service to their customers as a premium service experience. Indeed, each of these broadcasters rolled out their own dedicated 3D television channels. Within five years, all of them except Sky had to terminate their operations.

 

许多因素导致了这些服务的失败。首先是“哇视频内容”(即用户最有可能感到兴奋或非常感兴趣的内容)普遍不可用。第二个是即使在家庭环境中使用这些服务也需要佩戴特殊的 3D 眼镜。第三,由于广播公司最初急于部署 3D 电视技术,内容是由经验不足的创作者使用不完善的系统和工具制作的。这导致了大量制作质量低劣的 3D 内容,这可能疏远了早期订阅者。

A number of factors contributed to the failure of these services. The first was the general unavailability of “wow video content” (that is, content that users are most likely to find exciting or take much interest in). The second was the need to wear special 3D glasses even when using these services in a home environment. Third, because broadcasters were initially in a rush to deploy the 3D TV technology, content was produced by inexperienced creators using inadequate systems and tools. This resulted in a great deal of poorly produced 3D content, which may have alienated the early subscribers.

 

11.3 QoE 相关标准化项目

11.3 QoE-Related Standardization Projects

 

由于 QoE 领域发展迅速,因此启动了许多项目来解决与最佳实践和标准相关的问题。这些项目旨在防止第 11.2 节中描述的商业失败。表 11.1总结了这些项目举措中的突出举措,其中两项将在下面的段落中进行描述。

Because the field of QoE has been growing rapidly, a number of projects have been initiated to address issues relating to best practices and standards. These projects have been aimed at preventing commercial failures like the one described in the Section 11.2. Table 11.1 summarizes the prominent ones amongst these project initiatives, two of which are described in the paragraphs that follow.

 
图像

表 11.1 QoE 计划和项目

TABLE 11.1 QoE Initiatives and Projects

 

视频质量专家组 (VQEG) 目前正在制定 ITU 对家庭娱乐系统 3D 视频质量评估的建议草案 ( http://www.its.bldrdoc.gov/vqeg/projects/3dtv/3dtv.aspx )。VQEG 还致力于制作有关可能影响 3D 电视观看体验的功能以及将其最小化的方法的参考文档。这些特征的示例包括串扰、视觉不适和视觉疲劳。

The Video Quality Experts Group (VQEG) is currently working on draft ITU recommendations for 3D video quality assessments for home entertainment systems (http://www.its.bldrdoc.gov/vqeg/projects/3dtv/3dtv.aspx). The VQEG is also working on producing reference documentation regarding the features that can impact 3D TV viewing experience, as well as ways in which they can be minimized. Examples of these features are crosstalk, visual discomfort, and visual fatigue.

 
图像

视频质量专家组 (VQEG)

Video Quality Experts Group (VQEG)

 

另一项举措是网络体验质量估计器 (QuEEN) 项目 [ ETSI14 ],这是一项多组织和跨国举措,旨在解决与语音、视频和 IPTV 等在线服务相关的问题。在这些领域,服务和网络提供商寻求在 QoE 和更低的客户流失率方面将其服务产品与竞争对手区分开来。

Another initiative is by the Quality of Experience Estimators in Networks (QuEEN) project [ETSI14], which is a multi-organizational and multinational initiative aimed at addressing issues relating to online services such as voice, video, and IPTV. These are areas where service and network providers seek to differentiate their service offerings, in terms of QoE and lower churn rates, from their competitors.

 

QuEEN 通过将可能影响 QoE 的因素分类为明确定义的层,开发了一个操作框架。这提供了对每个层如何与质量值关联的深入了解。QoE 估计的过程使用了与每一层集成的软件代理,以及尝试模拟人类受试者如何根据这些参数的值给出认可评级的软件系统。该代理能够聚合来自网络上各种探测器的数据。

QuEEN developed an operational framework by categorizing the factors that may have an influence on QoE into well-defined layers. This provided an insight into how each layer could be associated with a quality value. The process of the QoE estimation employed the use of a software agent that integrated with each of the layers, and also with software systems that attempt to model how a human subject would give approval ratings based on the values of these parameters. The agent had the capability of aggregating data from various probes across the network.

 

QuEEN 代理是分层模型的核心。它实现了 QoE 估计器在大规模分布式环境中的灵活部署。为期三年的 QuEEN 项目于 2014 年结束,取得了一些令人印象深刻的成果。使用软件 QoE 代理的 QuEEN 方法已在不同的 ETSI 和 ITU 标准中标准化。预计这将鼓励开发使用 QoE 的新方法以及 QoE 管理的新方法。

The QuEEN agent was at the core of the layered model. It enabled the flexible deployments of QoE estimators in a large-scale distributed environment. The three-year QuEEN project, which concluded in 2014, produced some impressive results. The QuEEN approach of using software QoE agents has been standardized in different ETSI and ITU standards. It is envisaged that this will encourage the development of new ways of using QoE, as well as new methods in QoE management.

 

11.4 体验质量的定义

11.4 Definition of Quality of Experience

 

QoE 有许多不同但相似的定义。QoE 的本质因人而异,很难以定量的方式掌握。QoE 需要采用多学科方法,包括通信网络、认知过程、多媒体信号处理和社会心理学,重点是了解用户对质量的感知。

There are a number of different, although similar, definitions of QoE. The nature of QoE, which turns out to vary from person to person, is difficult to grasp in a quantitative way. QoE requires a multidisciplinary approach, encompassing communication networks, cognitive processes, multimedia signal processing, and social psychology, focused on understanding the user perception of quality.

 

在这些不同学科中工作的研究人员经常使用自己的专业语言和术语来描述相同的概念。因此,对于其他学科的研究人员来说,研究和解释特定学科的文献通常并不是一件简单的事情。因此,对于如何衡量或描述 QoE 以及影响 QoE 的各种因素缺乏共识。

Researchers working within these various disciplines often use their own specialist language and terminology in describing identical concepts. Thus, studying and interpreting literature from a given discipline is usually not a trivial exercise for researchers from other disciplines. As a consequence, there is the lack of a consensus of how to measure or describe QoE and the wide range of factors that influence it.

 

采用多学科 QoE 方法的第一步涉及指定一个通用术语框架。

A first step toward a multidisciplinary approach to QoE involves specifying a common terminology framework.

 

欧洲多媒体系统和服务体验质量网络 (QUALINET) [ MOLL12 ]于 2012 年开始制定这一通用框架。这是一群研究人员和行业专家,其主要目标是促进关于 QoE 及其相关概念的正式定义的讨论。

Work toward drawing up this common framework was begun in 2012 by the European Network on Quality of Experience in Multimedia Systems and Services (QUALINET) [MOLL12]. This is a group of researchers and industry experts whose main objectives were to foster discussions about the formal definitions of QoE and its related concepts.

 

本节中提出的质量、体验和体验质量的定义基于 QUALINET 定义白皮书 [ MOLL12 ] 中提供的定义。

The definitions of quality, experience, and quality of experience presented in this section are based on the ones provided in the QUALINET’s white paper of definitions [MOLL12].

 

质量的定义

Definition of Quality

 

质量是用户对可观察的事件或事件进行“比较和判断”过程后得出的结论。

Quality is the resulting verdict produced by a user after he/she has carried a “comparison and judgment” process on an observable occurrence or event.

 

该过程包括以下关键的连续步骤:

This process comprises the following key sequential steps:

 

图像 对事件的感悟

Perception of the event

 

图像对感知的反思

Reflection on the perception

 

图像感知描述

Description of the perception

 

图像结果或成果的评估和描述

Evaluation and description of the result or outcome

 

因此,质量是根据用户需求在事件背景下得到满足的程度来评估的。如果参考量表来呈现,则该评估的结果通常被称为质量得分(或评级)。

Thus, quality is evaluated in terms of the degree to which the user’s needs have been fulfilled within the context of the event. The result of this evaluation is usually referred to as the quality score (or rating) if it is presented with reference to a scale.

 

经验的定义

Definition of Experience

 

经验是个人对一系列感知的描述,以及他/她对一个或多个事件的解释。体验可能源自与系统、服务或工件的接触。

Experience is an individual’s description of a stream of perceptions, and his/her interpretation of one or multiple events. An experience might result from an encounter with a system, service, or an artifact.

 

值得注意的是,对体验的描述不一定会导致对其质量的判断。

It is important to note that the description of an experience need not necessarily result in a judgment of its quality.

 

质量形成过程

Quality Formation Process

 

如图 11.3所示,质量分数的形成有两个不同的子流程路径:感知路径和参考路径。

As shown in Figure 11.3, there are two distinct subprocess paths to the formation of a quality score: the perception path and the reference path.

 
图像

图 11.3从个人角度看质量形成过程的示意图。来源:[MOLL12]

FIGURE 11.3 A Schematic Illustration of the Quality Formation Process from an Individual Point of View. Source: [MOLL12]

 

参考路径反映了质量形成过程的时间性和情境性。这条路径受到以前经历过的品质的记忆的影响,如从经历过的品质到参考路径的箭头所示。

The reference path reflects the temporal and contextual nature of the quality formation process. This path is influenced by memories of former experienced qualities, as indicated by the arrow from experienced quality to the reference path.

 

感知路径的特征是要评估的物理输入信号到达观察者的感觉器官。该物理事件通过低级感知过程处理为参考路径约束内的感知特征。这种感知特征经历反射过程,通过认知处理解释这些感官特征。此时,感知的概念可以被描述并可能被量化以成为感知的质量特征。

The perception path is characterized by the physical input signal, which is to be assessed, reaching the sensory organs of the observer. This physical event is processed through low-level perceptual processes into a perceived feature within the constraints of the reference path. This perceived feature undergoes a reflection process, which interprets these sensory features through cognitive processing. At this point, the perceived concepts can be described and potentially quantified to become perceived quality features.

 

然后将参考和感知路径产生的质量特征转化为代表比较和判断的体验质量过程。这种体验到的品质受到时间、空间和特征的限制,因此可以称为品质事件。只能从用户处获得描述性级别的有关事件的相关信息。

The quality features resulting from the reference and perception paths are then translated into the experienced quality on behalf of the comparison and judgment process. This experienced quality is delimited in time, space, and character, and thus can be called a quality event. The relevant information about the event can only be obtained on a descriptive level from the user.

 

质量形成的最后一步在于对预期特征和经验特征进行某种比较。在这种特殊情况下,质量形成过程的输出对应于体验的质量。

The final step of the quality formation lies in some kind of comparison of the expected and experienced features. In this particular case, the output of the quality formation process corresponds to the quality of experiencing.

 

体验质量的定义

Definition of Quality of Experience

 

结合前面各节的概念和定义,反映业界和学术界广泛共识的 QoE 定义如下:

Combining the concepts and definitions from the preceding sections, the definition of QoE that reflects broad industry and academic consensus is as follows:

 

体验质量 (QoE) 是应用程序或服务的用户高兴或烦恼的程度。它是根据用户的个性和当前状态满足他或她对应用程序或服务的实用性/享受的期望的结果。

Quality of experience (QoE) is the degree of delight or annoyance of the user of an application or service. It results from the fulfillment of his or her expectations with respect to the utility/enjoyment of the application or service in the light of the user’s personality and current state.

 

11.5 实践中的 QoE 策略

11.5 QoE Strategies in Practice

 

QoE 相关项目的主要发现表明,对于许多服务来说,多个 QoS 参数有助于提高用户的总体质量感知。这导致了 QoE/QoS 分层方法概念的出现,其中用户的需求驱动网络规模策略。

Key findings from QoE-related projects show that for many services, multiple QoS parameters contribute toward the overall user’s perception of quality. This has resulted in the emergence of the concept of the QoE/QoS layered approach in which the requirements of the users drive network-dimensioning strategies.

 

QoE/QoS 分层模型

The QoE/QoS Layered Model

 

QoE/QoS 分层方法并没有忽略网络的 QoS 方面,而是用户和服务级别的观点是互补的,如图11.4所示。

The QoE/QoS layered approach does not ignore the QoS aspect of the network, but instead, user and service level perspectives are complementary, as shown in Figure 11.4.

 
图像

请注意,由于 QoE 和 QoS 域之间存在重叠,因此框架之间存在大量信息共享/反馈。

Note that because there is an overlap between the QoE and QoS domains, there is a considerable amount of information sharing/feedback between the frameworks.

 

图 11.4 QoE/QoS 分层模型以及框架感兴趣的领域

FIGURE 11.4 QoE/QoS Layered Model with the Domains of Interest for the Frameworks

 

分层方法中的级别如下:

The levels in the layered approach are as follows:

 

图像 用户:用户与服务交互。要衡量的是他们对使用服务的高兴或烦恼程度。QoE 与人类感知相关,很难定量描述,而且因人而异。用户层面QoE的复杂性源于个体用户特征之间的差异,其中一些特征可能随时间变化,而另一些则具有相对稳定的性质。例子可以包括性别、年龄、态度、以往经验、期望、社会经济地位、文化背景、教育水平等等。因此,为所有用户及其上下文导出统一的 QoE 指标成为一项挑战。

User: The user interacts with the service. It is their degree of delight or annoyance from using the service that is to be measured. Being linked to human perception, QoE is hard to describe in a quantitative way, and it varies from person to person. The complexities of QoE at the user level stem from the differences between individual user characteristics, of which some might be time-varying, whereas others are of a relatively stable nature. Examples could include gender, age, attitudes, prior experience, expectations, socio-economic status, cultural background, educational level, and so on. Therefore, it becomes a challenge to derive unified QoE metrics for all users and their contexts. The current practice in any QoE measurement is to identify and control for the relatively stable characteristics of a user in a way that is satisfactory to at least a large proportion of the potential user group.

 

图像 服务:服务级别提供了一个虚拟级别,可以衡量用户对服务整体性能的体验。它是用户与服务交互的界面(例如,向用户的视觉显示)。这也是测量耐受阈值的地方。例如,从用户角度来看,流媒体应用程序的 QoE 度量可以是启动时间、音频/视频质量、频道更改延迟和缓冲中断。然而,Web 浏览应用程序的 QoE 指标可能是页面加载等待时间。

Service: The service level provides a virtual level where the user’s experience of the overall performance of the service can be measured. It is the interface where the user interacts with the service (for example, the visual display to the user). It is also where tolerance thresholds are measured. As an illustration, the QoE measures from the user perspective for streaming applications could be startup time, audio/visual quality, channel change delay, and buffering interruptions. However, the QoE measures for web browsing applications could be page load waiting times.

 

图像 应用级 QoS (AQoS):AQoS 处理特定于应用程序的参数的控制,例如内容分辨率、比特率、帧速率、颜色深度、编解码器类型、分层策略和采样率。网络容量通常决定分配给服务传输的带宽。由于这种固定的底层资源,通常会调整和控制应用程序级别的一些参数,以达到所需的质量水平。例如,对于音频服务,与 48 kHz 采样率相比,96 kHz 采样率可能允许通过听觉感知更多信息。但更大的采样率伴随着生成更大的音频文件大小的代价。这是因为采样率是每秒测量模拟声音信号的次数。

Application-level QoS (AQoS): AQoS deals with the control of application-specific parameters such as content resolution, bit rate, frame rate, color depth, codec type, layering strategy, and sampling rate. The network capacity often dictates the bandwidth that will be allocated to a service for transmission. Because of this fixed underlying resource, some parameters at the application level are usually adjusted and controlled to achieve a desired quality level. For example, for an audio service, a sampling rate of 96 kHz might allow for more information to be audibly perceived as compared to a 48-kHz rate. But this larger sampling rate comes with the expense of generating bigger audio file sizes. This is because the sampling rate is the number of times an analog sound signal is measured per second. Each of these measurements (or samples) is stored or transmitted as a digital value.

 

另一个例子,对于视频服务,有各种各样的设备屏幕尺寸(每种尺寸都有不同的宽高比)可供选择。这一系列设备的一个共同特点是它们都能够重新缩放视频图像。对于给定的比特率,可能需要在稍微模糊且具有较少数字伪影(视觉异常)的较低分辨率图像与提供更清晰图像但可能具有更多伪影的高分辨率图像之间进行权衡。比特率通常提供视频(或音频)文件质量的指示。这是因为它代表每秒对文件进行编码所使用的位数。大多数压缩标准使用基于块的运动补偿编码方案,因此,额外的压缩伪影被添加到解码的视频中。

As another example, for video services, there is a huge variety in device screen sizes (each featuring varied aspect ratios) from which to choose. The one common feature in this array of equipment is that they are all capable of rescaling video images. For a given bit rate, there might be a trade-off between lower resolution images that are slightly blurred and with fewer digital artifacts (visual anomalies) versus higher resolution images that provide sharper images but possibly having more artifacts. The bit rate usually provides an indication of the quality of a video (or audio) file. This is because it represents the number of bits used in encoding each second of a file. Most compression standards use block-based and motion compensation coding schemes and as a result, additional compression artifacts are added to the decoded video.

 

图像 网络级 QoS (NQoS):该级别关注低级网络参数,例如服务覆盖范围、带宽、延迟、吞吐量和丢包率。网络级 QoS 参数通过多种方式影响 QoE。其中一种方式是通过网络延迟,这会影响 QoE,尤其是交互式服务。例如,需要在特定时间窗口内进行多个检索事件的网页浏览的交互性质可能会受到网络延迟变化的影响。IP 语音 (VoIP) 服务可能具有严格的响应时间要求,而电子邮件服务可能会容忍更长的延迟。

Network-level QoS (NQoS): This level is concerned with the low-level network parameters such as service coverage, bandwidth, delay, throughput, and packet loss. There are a number of ways in which network-level QoS parameters impact QoE. One such way is via network delay, which impacts QoE especially for interactive services. For instance, the interactive nature of web browsing that requires multiple retrieval events within a certain window of time might be affected by delay variations of the network. Voice over IP (VoIP) services might have stringent response-time demands, whereas e-mail services might tolerate much longer delays.

 

网络流视频的不同分发方法也会以不同的方式影响 QoE。例如,基于 HTTP 的自适应流使用 TCP,通过以下任一方式对带宽限制和 CPU 容量做出反应:

The different distribution methods of streaming video over the network also affect QoE in different ways. For instance, HTTP-based adaptive streaming, which uses TCP, reacts to bandwidth constraints and CPU capacity in either of the following ways:

 

图像根据可用资源切换到使用其他可用比特率编码的流式传输

Switching to streaming using other available bit rate encodings, depending on available resources

 

图像由于播放器缓冲区中传入数据包不足而发生帧冻结(重新缓冲)

Frame freeze (rebuffering) occurring because of incoming packet starvation in the player buffer

 

比特率切换和重新缓冲会对 QoE 产生不利影响。

The bit rate switches and rebuffering have an adverse effect on QoE.

 

然而,UDP 流使用多播在整个网络中复制流。尽管网络状况不佳,但通常会实施弹性编码方案和流量控制机制来维持观看体验。

UDP streaming, however, uses multicast to replicate the streams throughout the network. Quite often a resilient coding scheme and a flow control mechanism are implemented to maintain the viewing experience despite the effects of bad network conditions.

 

总结和合并 QoE/QoS 层

Summarizing and Merging the QoE/QoS Layers

 

前面的讨论表明,QoE 的效果可以是仅应用层的属性,也可以是应用层和网络层的组合。尽管出于网络容量考虑,质量和网络容量之间的权衡可能从应用程序级 QoS 开始,但了解服务级别的用户需求(即 QoE 度量)将有助于更好地选择应用程序。级 QoS 参数映射到网络级 QoS 参数。11.8 节讨论了一个旨在使用 QoS 参数作为执行器来控制 QoE 的场景。

The preceding discussion suggests that the effect of QoE could be an attribute of only the application layer or a combination of both the application and network layers. Although the trade-offs between quality and network capacity may begin with application-level QoS because of network capacity considerations, an understanding of the user requirements at the service level (that is, in terms QoE measures) would enable a better choice of application-level QoS parameters to be mapped onto the network-level QoS parameters. A scenario that aims at controlling QoE using QoS parameters as actuators is discussed in Section 11.8.

 

11.6 影响QoE的因素

11.6 Factors Influencing QoE

 

必须通过考虑技术和非技术因素来研究和解决 QoE。许多因素有助于产生良好的 QoE。这里,关键因素如下:

QoE must be studied and addressed by taking into account both technical and nontechnical factors. Many factors contribute to producing a good QoE. Here, the key factors are as follows:

 

图像 用户人口统计:本文中的人口统计背景是指可能对感知产生间接影响的用户相对稳定的特征,并密切影响确定 QoE 的其他技术因素。在研究高清语音电话采用的标志性项目 [ QUIN12 ] 中,不同的用户群体产生了显着不同的质量评级。用户分组是基于人口统计特征,例如他们对采用新技术的态度、社会人口统计信息、社会经济地位和先验知识。文化背景是另一个用户人口统计因素,由于对质量的文化态度,它也可能对感知产生影响。

User demographics: The context of demographics herein refers to the relatively stable characteristics of a user that might have an indirect influence on perception, and intimately affects other technical factors to determine QoE. In a landmark project [QUIN12] studying the adoption of HD voice telephony, the different user groups produced significantly different quality ratings. The grouping of users was based on demographic characteristics such as their attitudes toward adoption of new technologies, socio-demographic information, socioeconomic status, and prior knowledge. Cultural background is another user demographic factor that might also have an influence on perception because of cultural attitude to quality.

 

图像 设备类型:不同的设备类型具有可能影响 QoE 的不同特征。设计用于在多种设备类型上运行的应用程序(例如在 Roku 等联网电视设备和 iPhone 等 iOS 设备上)可能无法在每种设备上提供相同的 QoE。

Type of device: Different device types possess different characteristics that may impact on QoE. An application designed to run on more than one device type, for example on a connected TV device such as Roku and on an iOS device such as an iPhone, may not deliver the same QoE on every device.

 

图像 内容:内容类型的范围包括从根据个人兴趣专门策划的交互式内容到为线性电视传输而制作的内容。研究表明,人们观看视频点播 (VoD) 内容的参与度往往高于其竞争对手线性电视。这可能是因为用户会主动决定观看特定的 VoD 内容,并因此给予充分的关注。人们可以推断,对于视频点播用户来说,由于他们的高参与度,他们可能不太容忍任何质量下降。

Content: Content types can range from interactive content specifically curated according to personal interests, to content that is produced for linear TV transmission. Studies have suggested that people tend to watch video on-demand (VoD) content with a higher level of engagement than its competing alternative, linear TV. This may be because users will make an active decision to watch specific VoD content, and as a result, give their full attention to it. One could infer that for VoD users might be less tolerant of any quality degradations because of their high level of engagement.

 

图像 连接类型:用于访问服务的连接类型会影响用户的期望及其 QoE。我们发现,与有线连接相比,用户在使用 3G 连接时的期望较低,即使这两种连接类型的技术条件相同。研究还发现,用户在小型设备上的期望会大大降低,并且对视觉障碍的容忍度更高。

Connection type: The type of connection used to access the service influences users’ expectations and their QoEs. Users have been found to have lower expectations when using 3G connections in contrast to a wire line connection even when the two connection types were identical in terms of their technical conditions. Users have also been found to lower their expectations considerably, and are more tolerant to visual impairments, on small devices.

 

图像 媒体(视听)质量:这是影响 QoE 的重要因素,因为它是用户最容易注意到的服务部分。整体音频和视频质量似乎取决于内容。对于不太复杂的场景(例如,头部和肩部内容),音频质量比视频质量稍微重要一些。相反,对于高动态内容,视频质量往往比音频质量重要得多。

Media (audio-visual) quality: This is a significant factor affecting QoE, as it is the part of a service that is most noticeable by the user. The overall audio and video quality appears to be content dependent. For less-complex scenes (for example, head and shoulder content), audio quality is slightly more important than video quality. In contrast, for high-motion content, video quality tends to be significantly more important than audio quality.

 

图像 网络:通过互联网进行的内容交付极易受到延迟、抖动、数据包丢失和可用带宽的影响。延迟变化结果用户遇到帧冻结以及听到的(音频)和看到的(视频)之间缺乏口型同步的情况。尽管可以使用多种互联网协议来传送视频内容,但并非所有协议都是可靠的。但是,使用 TCP/IP 可以保证内容传送。然而,由于重新缓冲增加和播放中断增加,恶劣的网络条件会降低 QoE。IP 视频播放中的重新缓冲中断被认为是对用户 QoE 影响最严重的情况,应该以启动延迟为代价来避免。同样,给定启动延迟的 QoE 在很大程度上取决于应用程序上下文和用户期望。尽管与网络有关的 QoE 因素不同,但可靠性和强大的无线信号对于消费类似电视的服务至关重要。

Network: Content delivery via the Internet is highly susceptible to the effects of delays, jitter, packet loss, and available bandwidth. Delay variation results in the user experiencing frame freeze and the lack of lip synchronization between what is heard (audio) and what is seen (video). Although video content can be delivered using a number of Internet protocols, not all of them are reliable. However, content delivery is guaranteed using TCP/IP. Nevertheless, bad network conditions degrade QoE because of increased rebuffering and increased interruptions in playback. Rebuffering interruptions in IP video playback is seen to be the worst degradation on user QoE and should be avoided at the cost of startup delay. On the same note, QoE for a given startup delay strongly depends on the application context and the user expectations. In spite of the different QoE factors that are concerned with the network, reliability and a strong wireless signal are crucial for consuming TV-like services.

 

图像 可用性:另一个 QoE 因素是使用服务所需的工作量。服务设计必须提供良好的质量,而无需用户进行大量技术输入。

Usability: Another QoE factor is the amount of effort that is required to use the service. The service design must render good quality without a great deal of technical input from the user.

 

图像 成本:长期以来通过价格判断质量的做法意味着期望取决于价格。如果某种服务质量的资费较高,则用户可能对任何质量下降高度敏感。

Cost: The long-established practice of judging quality by price implies that expectations are price dependent. If the tariff for a certain service quality is high, users may be highly sensitive to any quality degradations.

 

11.7 QoE 测量

11.7 Measurements of QoE

 

QoE 测量技术是通过电视系统早期阶段心理物理学方法的适应和应用而发展起来的。本节介绍三种 QoE 测量方法:主观评估、客观评估和最终用户设备分析。

QoE measurement techniques evolved through the adaptation and application of psychophysics methods during the early stages of television systems. This section introduces three QoE measurement methods: subjective assessment, objective assessment, and end-user device analytics.

 

主观评估

Subjective Assessment

 

对于 QoE 的主观评估,实验经过精心设计以实现高水平的控制(例如在受控实验室、现场测试或众包环境中),以便结果的有效性和可靠性值得信赖。在主观实验的初始设计期间咨询专家建议可能会很有用,因为实验设计、实验执行和统计分析的主题很复杂。一般来说,获取主观 QoE 数据的方法可能包括以下阶段:

For subjective assessment of QoE, experiments are carefully designed to a high level of control (such as in a controlled laboratory, field tests, or crowdsourcing environments) so that the validity and reliability of the results can be trusted. It might be useful to consult expert advice during the initial design of the subjective experiment, because the topics of experimental design, experimental execution, and statistical analysis are complex. In general terms, a methodology to obtain subjective QoE data might consist of the following phases:

 

图像 表征服务:此阶段的任务是选择对用户体验影响最大的 QoE 指标。例如,对于多媒体会议服务,语音质量优先于视频质量。此外,只要保持音频到视频同步,此类应用所需的视频质量不需要非常高的帧速率。因此,单个帧的分辨率可以相当大低于其他视频流服务的情况,尤其是当屏幕尺寸较小时(例如手机)。因此,在多媒体会议中,QoE 指标可能优先考虑语音质量、音视频同步和图像质量。

Characterize the service: The task at this stage is to choose the QoE measures that affect user experience the most. As an example, for a multimedia conferencing service, the quality of the voice takes precedence over the quality of video. Also, the video quality required for such applications does not demand a very high frame rate, provided that audio-to-video synchronization is maintained. Therefore, the resolution of individual frames can be considerably lower than the case of other video streaming services, especially when the size of the screen is small (such as a mobile phone). So, in multimedia conferencing, the QoE measures might be prioritized as voice quality, audio-video synchronization, and image quality.

 

图像 设计和定义测试矩阵:一旦确定了服务的特征,就可以识别影响 QoE 测量的 QoS 因素。例如,流媒体服务中的视频质量可能会直接受到带宽、数据包丢失等网络参数和帧速率、分辨率和编解码器等编码参数的影响。渲染设备的能力也将在屏幕尺寸和处理能力方面发挥重要作用。然而,测试如此大的参数组合可能并不可行。通过消除对 QoE 具有类似影响的组合,可以将该矩阵草案简化为更可实现的测试条件。

Design and define test matrix: Once the service has been characterized, the QoS factors that affect the QoE measures can be identified. For instance, the video quality in streaming services might be directly affected by network parameters such as bandwidth, packet loss, and encoding parameters such as frame rate, resolution, and codec. The capability of the rendering device will also play a significant role in terms of screen size and processing power. However, testing such a large combination of parameters may not be feasible. This draft matrix could be reduced to more achievable test conditions by eliminating the combinations that have similar effects on QoE.

 

图像 指定测试设备和材料:主观测试的设计应指定允许以受控方式执行测试矩阵的测试设备。例如,为了评估流媒体应用中 NQoS 参数与感知 QoE 之间的相关性,至少需要由模拟网络分隔的客户端设备和流媒体服务器。如果目标是评估不同设备功能如何影响 QoE,则选择视频内容来生成可以在每个受审查的客户端设备中运行的格式。

Specify test equipment and materials: Subjective tests should be designed to specify test equipment that will allow the test matrix to be enforced in a controlled fashion. For instance, to assess the correlation between NQoS parameters and the perceived QoE in a streaming application, at least a client device and a streaming server separated by an emulated network are needed. If the objective is to evaluate how different device capabilities impact QoE, a video content is chosen to produce formats that can run in each of the client devices under scrutiny.

 

图像 识别样本群体:识别代表性样本群体,可能涵盖按实验者感兴趣的用户人口统计数据分类的不同用户类别。根据主观测试的目标环境,建议受控环境(例如实验室)至少 24 个测试对象为理想数量,公共环境至少 35 个测试对象为理想数量。可以使用更少的受试者进行试点研究来表明趋势。在主观评估中使用众包仍处于萌芽阶段,但它有可能进一步增加样本群体的规模,并可以减少主观测试的完成时间。

Identify sample population: A representative sample population is identified, possibly covering different classes of users categorized by the user demographics that are of interest to the experimenter. Depending on the target environment for the subjective test, at least 24 test subjects has been suggested as the ideal number for a controlled environment (for example, a laboratory) and at least 35 test subjects for a public environment. Fewer subjects may be used for pilot studies to indicate trending. The use of crowdsourcing in the context of subjective assessment is still nascent, but it has the potential to further increase the size of the sample population and could reduce the completion time of the subjective test.

 

图像 主观方法:行业建议中存在几种主观评估方法。然而,在大多数情况下,典型的建议是向每个测试对象提供经过审查的测试条件以及一组评级量表,以允许将用户的响应与正在测试的实际 QoS 测试条件相关联。根据实验的设计,有多种评定量表。

Subjective methods: Several subjective assessment methodologies exist within the industry recommendations. However, in most of them, the typical recommendation is for each test subject to be presented with the test conditions under scrutiny along with a set of rating scales that allows the correlation of the users’ responses with the actual QoS test conditions being tested. There are several rating scales, depending on the design of the experiment.

 

图像 结果分析:当测试对象对所有 QoS 测试条件进行评级后,可能会对数据应用后筛选过程以消除任何错误来自似乎随机投票的测试对象的数据。根据实验的设计,可以使用各种统计方法来分析结果。最简单和最常见的量化方法是平均意见得分 (MOS),它是针对特定 QoS 测试条件收集的意见的平均值。主观评估实验的结果用于量化 QoE,并对 QoS 因素的影响进行建模。主观实验需要大量的规划和设计,才能产生可​​靠的主观 MOS 评级。然而,它们的实施非常耗时、昂贵,并且对于实时在线监控来说不可行。在这种情况下,通常需要使用客观评估。

Analysis of results: When the test subjects have rated all QoS test conditions, a post-screening process might be applied to the data to remove any erroneous data from a test subject that appears to have voted randomly. Depending on the design of the experiment, a variety of statistical approaches could be used to analyze results. The simplest and the most common quantification method is the mean opinion score (MOS), which is the average of the opinions collected for a particular QoS test condition. The results from subjective assessment experiments are used to quantify QoE, and to model the impacts of QoS factors. Subjective experiments require significant planning and design so as to produce reliable subjective MOS ratings. However, they are time-consuming, expensive to carry out, and are not feasible for real-time in-service monitoring. In such situations, the use of objective assessment is often desirable.

 

客观评估

Objective Assessment

 

为了客观评估 QoE,计算算法提供用户感知的音频、视频和视听质量的估计。每个目标模型都针对特定的服务类型。任何客观模型的目标都是找到与主观实验获得的数据密切相关的最佳拟合。这里介绍的以下阶段不应被视为详尽无遗,而是旨在说明获取客观 QoE 数据的过程。获取客观 QoE 数据的方法可能包括以下阶段:

For objective assessment of QoE, computational algorithms provide estimates of audio, video, and audiovisual quality as perceived by the user. Each objective model targets a specific service type. The goal of any objective model is to find the optimum fit that strongly correlates with data obtained from subjective experiments. The following phases presented here should not be considered as exhaustive, but aim at illustrating a process of obtaining objective QoE data. A methodology to obtain objective QoE data might consist of the following phases:

 

图像 主观数据数据库:起点可能是收集一组主观数据集,因为这可以作为训练和验证客观模型性能的基准。这些数据集之一的典型示例可能是从完善的主观测试程序生成的主观 QoE 数据,如前所述。主观数据集的选择通常应反映客观模型的用例。

Database of subjective data: A starting point might be the collection of a group of subjective datasets as this could serve as benchmark for training and verifying the performance of the objective model. A typical example of one of these datasets might be the subjective QoE data generated from well-established subjective testing procedures, as discussed earlier. The selection of the subjective datasets should typically reflect the use cases of the objective model.

 

图像 客观数据的准备:客观模型的数据准备通常可能包括与主观数据集中相同的 QoS 测试条件以及其他复杂的 QoS 条件的组合。在训练和算法细化之前,可以对视频数据应用各种预处理程序。

Preparation of objective data: The data preparation for the objective model might typically include a combination of the same QoS test conditions as found in the subjective datasets, as well as other complex QoS conditions. A variety of preprocessing procedures might be applied to the video data prior to training, and refinement of the algorithm.

 

图像 客观方法:现有多种算法可以提供用户感知的音频、视频和视听质量的估计。一些算法特定于感知的质量工件,而其他算法可以提供更广泛范围的质量工件的估计。感知到的伪影的示例可能包括模糊、块效应、不自然的运动、暂停、跳过、重新缓冲以及传输错误后的不完美错误隐藏。

Objective methods: There are various algorithms in existence that can provide estimates of audio, video, and audiovisual quality as perceived by the user. Some algorithms are specific to a perceived quality artifact, while others can provide estimates for a wider scope of quality artifacts. Examples of the perceived artifacts might include blurring, blockiness, unnatural motion, pausing, skipping, rebuffering, and imperfect error concealment after transmission errors.

 

图像 结果验证:客观算法处理完所有 QoS 测试条件后,预测值可能会受益于后筛选消除任何异常值的过程;这与应用于主观数据集的概念相同。与主观 QoE 数据集相比,客观算法的预测值可能具有不同的规模。预测值可以转换为与主观实验中获得的相同的尺度(例如,转换为平均意见得分),以实现同类比较,并且还可以使预测 QoE 值与主观 QoE 之间达到最佳拟合可以获得数据。

Verification of results: After the objective algorithm has processed all QoS test conditions, the predicted values might benefit from a post-screening process to remove any outliers; this is the same concept applied to the subjective datasets. The predicted values from the objective algorithm might be in a different scale as compared to the subjective QoE datasets. The predicted values might be transformed to the same scale as obtained in the subjective experiments (for example, into the mean opinion scores) to enable like-for-like comparisons, and also so that an optimum fit between the predicted QoE values and subjective QoE data can be obtained.

 

图像 客观模型的验证:可以使用不同的主观数据集来评估客观数据分析的预测准确性、一致性和线性度。值得注意的是,模型的性能可能取决于训练数据集和验证程序。视频质量专家组 (VQEG) 验证客观感知模型的性能,以便它们能够成为电视和多媒体应用客观质量模型的 ITU 建议和标准。

Validation of objective model: The objective data analysis might be evaluated with respect to its prediction accuracy, consistency, and linearity by using a different subjective dataset. It is worth noting that the performance of the model might depend on the training datasets and the verification procedures. The Video Quality Experts Group (VQEG) validates the performance of objective perceptual models so that they can become ITU recommendations and standards for objective quality models for both television and multimedia applications.

 

最终用户设备分析

End-User Device Analytics

 

最终用户设备分析是 QoE 测量的另一种替代方法。视频播放器应用程序收集每个视频观看会话的实时数据,例如连接时间、发送的字节数和平均播放速率,并将其反馈到服务器模块,在服务器模块中数据被预先聚合,然后转化为可操作的 QoE 度量。针对每个用户和聚合观看会话报告的一些指标包括启动延迟、重新缓冲延迟、平均比特率和比特率切换频率。

End-user device analytics is yet another alternative method of QoE measurement. Real-time data such as the connection time, bytes sent, and average playback rate are collected by the video player application for each video viewing session and fed back to a server module where the data is pre-aggregated and then turned into actionable QoE measures. Some of the metrics reported for per-user and aggregate viewing sessions include startup delay, rebuffering delays, average bit rates, and the frequency of bit rate switches.

 

运营商可能倾向于将观众参与度与其 QoE 相关联,因为良好的 QoE 通常使观众不太可能放弃观看会话。观众参与度的定义对于不同的运营商和环境可能具有不同的含义。首先,运营商可能想知道哪些观众参与度指标对 QoE 影响最大,以指导交付基础设施的设计。其次,他们可能还希望快速识别并解决服务中断和其他质量问题。一分钟的编码器故障可能会在整个 ISP 和各种交付基础设施中复制,并影响所有客户。运营商可能想知道这种影响的规模以及它如何影响用户的参与度。最后,他们希望了解客户的人口统计数据(连接方法、设备类型、

Operators may be inclined to associate viewer engagement levels with their QoE because good QoEs usually make viewers less likely to abandon a viewing session. The definition of viewer engagement may have different meanings for different operators and context. First of all, operators might like to know which viewer engagement metrics affect QoE the most to guide the design of the delivery infrastructures. Second, they might also like to quickly identify and resolve service outages, and other quality issues. A minute of encoder glitch could replicate throughout the ISPs, and the various delivery infrastructures, and affect all their customers. Operators might like to know the scale of this impact, and how it affects users’ engagement. Finally, they would like to understand their customers’ demographics (connection methods, type of device, bit rates of the consumed asset) within a demographic region so that resources can be strategically dimensioned.

 

QoE 爱好者主张 QoE 测量是一种多学科方法,旨在以感知、社会学和用户心理学的一般规律为基础来解释其发现。使用最终用户设备分析作为 QoE 的手段测量中,有许多变量无法解释(例如,用户为何退出服务)。对观看内容缺乏兴趣可能会导致用户退出服务,但不一定是因为体验质量差。

QoE enthusiasts advocate QoE measurement to be a multidisciplinary approach that seeks to explain its findings, building on general laws of perception, sociology, and user psychology. With the use of end-user device analytics as a means of QoE measurement, there are many variables that cannot be accounted for (for example, why a user exits a service). A lack of interest in watching the content might result in a user exiting a service, and not necessarily because of poor QoE.

 

解决这些无法解释的变量的一种方法是使用观看视频的比例来衡量参与度,因为这可以客观地衡量。然后,可以系统地从任何分析中删除似乎属于早期退出者的数据,以便更清楚地了解 QoE 衡量标准如何影响观众参与度。

One method of tackling these unexplained variables is to use the fraction of video viewed as a measure of engagement because this can be measured objectively. The data that appears to belong to early quitters can then be systematically removed from any analyses to obtain a clearer understanding of how the QoE measures impact viewer engagement.

 

QoE测量方法总结

Summarizing the QoE Measurement Methods

 

平均意见得分 (MOS) 似乎是 QoE 事实上的标准指标。可能的原因可能是它在电话网络中的长期存在,也可能是因为它易于理解的优点而被广泛接受。有不同类型的 MOS 值和不同的测试方法来生成它们。有关详细信息,请参阅 ITU-T 建议 P 913,《任意环境中互联网视频和分发质量电视的视频质量、音频质量和视听质量的主观评估方法》,2014 年。表11.2显示了常用的五点绝对类别评级MOS量表

The mean opinion score (MOS) appears to be the de facto standard metric for QoE. The possible reasons could be its long-term establishment in telephony networks, and perhaps its widespread acceptance on the merits that it can be easily understood. There are different types of MOS values and different test methodologies to produce them. See ITU-T Recommendation P 913, Methods for the Subjective Assessment of Video Quality, Audio Quality and Audiovisual Quality of Internet Video and Distribution Quality Television in Any Environment, 2014, for more details. Table 11.2 shows the five-point absolute category rating MOS scale that is commonly used

 
图像

表 11.2五点 MOS 评级等级

TABLE 11.2 Five Point MOS Rating Scale

 

MOS 值是给定 QoS 测试条件下用户组的平均意见。它不一定是单个用户的意见得分,因为不同的用户有不同的意见。通常鼓励提供额外的信息,例如置信区间的统计不确定性。MOS 被认为仅是实验及其衍生的测试对象组的特征。

The MOS value is the average opinion for the group of users, for a given QoS test condition. It is not necessarily the opinion score for an individual user, because different users have different opinions. Additional information such as statistical uncertainty in terms of confidence intervals is usually encouraged. The MOS is considered to be characteristic of only the experiment and the group of test subjects from which it was derived.

 

MOS 必须在上下文中进行解释。首先,在主观实验中,针对特定QoS测试条件获得的MOS值可能取决于实验中使用的QoS测试条件的范围。这可能是由于测试对象根据实验条件重新校准了评分量表的使用。一个适当设计的实验,在实验开始时有一个练习期,并且测试条件包括最好和最差的条件,可以最大限度地减少上述行为的影响。

MOS has to be interpreted within context. First of all, the MOS value obtained for a particular QoS test condition, in a subjective experiment, may depend on the range of the QoS test conditions used in the experiment. This might be due to test subjects recalibrating their use of the rating scale to the conditions in the experiment. An appropriately designed experiment whereby there is a practice period at the start of the experiment, and the test conditions include the best and worst conditions, minimizes the effects of the aforementioned behavior.

 

直接比较从单独实验获得的 MOS 分数通常没有意义。只有当实验经过专门设计以进行此类比较时,它们才有意义。必须研究来自此类特殊配置的实验的数据,并证明它们的 MOS 比较在统计上是有效的。由于测试对象概况的差异(例如,年龄和技术暴露、测试环境以及测试条件的呈现顺序),评级量表解释可能存在偏差。

Direct comparisons of MOS scores obtained from separate experiments are generally not meaningful. They are only meaningful if the experiments have been specially designed to enable such comparisons. Data from such specially configured experiments must be studied and shown that their MOS comparisons are statistically valid. Biases in the rating scale interpretation might exist because of differences in the test subject profiles (for example, age and technology exposure, test environment, and the presentation order of the test conditions).

 

使用不同主观上下文训练和优化的不同客观模型可能会预测相同 QoS 条件下不同的 MOS 值。客观模型通常是针对特定范围的质量特征而开发和优化的。因此,只有在 MOS 模型的背景下选择阈值,才能可靠地进行 MOS 预测和阈值之间的比较。

It is possible that different objective models that have been trained and optimized using different subjective contexts will predict nonidentical MOS values for the same QoS conditions. Objective models are usually developed and optimized for a specific scope of quality features. As a consequence, comparisons between MOS predictions and thresholds can only be reliably made if the thresholds are chosen in the context of the MOS model.

 

客观评估似乎提供实时 QoE 测量,但最终用户设备分析作为 QoE 测量方法似乎是另一种方法。目前,终端用户设备分析缺乏一种参考方法作为 QoE 测量方法,类似于主观评估和客观评估中的平均意见得分。

Objective assessment seems to offer real-time QoE measurements, but end-user device analytics as a method of QoE measurement appears to be an alternative approach. Currently, there is the lack of a reference methodology for end-user device analytics as a method of QoE measurement, analogous to mean opinion scores found in subjective assessments and objective assessments.

 

这种发展的一个限制因素可能是管理服务提供商使用其数据库的权利受到限制。这使得研究人员、服务提供商和交付基础设施设计者在开发更好的交付基础设施方面面临挑战。

A limiting factor to this development might be the restricted rights governing service providers on the usage of their databases. This makes it challenging for researchers, service providers, and delivery infrastructure designers to develop better delivery infrastructures.

 

主观实验可能仍然是衡量 QoE 的最准确方法,也是获得用于对客观 QoE 模型进行基准测试的可靠地面实况数据的唯一方法。

Subjective experiments are probably still the most accurate way to measure QoE, and also the only way to obtain reliable ground truth data used in benchmarking objective QoE models.

 

11.8 QoE的应用

11.8 Applications of QoE

 

QoE 的实际应用可以根据主要用途分为两个领域。

The practical applications of QoE can be grouped into two areas based on the main usage.

 

图像 服务 QoE 监控:服务监控允许支持团队(例如服务提供商和网络运营商)持续监控服务最终用户体验到的质量。当 QoE 低于某个阈值时,可能会向支持团队发送服务警报消息,因为这将使支持团队能够快速识别并解决服务中断和其他 QoE 问题。

Service QoE monitoring: Service monitoring allows the support teams (for example, service provider and network operator) to continually monitor the quality experienced by the end users of the service. A service alert message might be sent to the support teams when QoE falls below a certain threshold value, as this will allow the support teams to quickly identify and resolve service outages and other QoE issues.

 

根据所监控服务的用例,此类监控工具可能位于内容交付生态系统内的任何一个节点或所有节点。节点可以位于输入源、分发的头端网络和端点位置。此方法可能会给每个用户场景带来较高的监视开销。

Depending on the use case of the service being monitored, such monitoring tools might be located at any one node, or at all nodes, within the content delivery ecosystem. The nodes could be at the headend incoming feeds, distribution networks, and at endpoints locations. This approach might introduce high monitoring overheads for a per-user scenario.

 

图像 以 QoE 为中心的网络管理:当出现 QoE 下降问题时控制和优化用户体验的能力是 QoE 网络管理的圣杯。考虑到整体 QoE 的多维方面(例如子网的网络级条件、应用级 QoS、设备功能和用户人口统计),典型的挑战在于向网络或服务提供商提供可操作的 QoE 信息反馈。

QoE-centric network management: The ability to control and optimize the user experience when QoE degradation issues arise is the holy grail of QoE network management. Given the multidimensional aspect of the overall QoE (such as the network-level conditions of the subnetworks, application-level QoS, device capability, and user demographics), a typical challenge lies in providing actionable QoE information feedback to the network or service provider.

 

可以利用以 QoE 为中心的网络管理的两种方法如下:

Two approaches in which QoE-centric network management can be exploited are as follows:

 

图像在第一种方法中,一组 QoS 测量值与适当的假设一起用于计算用户的预期 QoE。

In the first approach, a set of QoS measurement values together with the appropriate assumptions, are used in computing the expected QoE for a user.

 

图像第二种方法与第一种方法有些相反,使用用户的目标 QoE 以及适当的假设来生成所需 QoS 值的估计。

In the second approach, which is somewhat the opposite of the first, a target QoE for a user together with the appropriate assumptions is used to produce estimates of the required QoS values.

 

第一种方法可以由服务提供商采用,他们可以提供一系列 QoS 产品以及客户可能合理期望的 QoE 概要。

The first approach can be taken by a service provider, who can provide a range of QoS offerings with an outline of the QoE that the customer might reasonably expect.

 

客户可以采用第二种方法,定义所需的 QoE,然后确定满足该需求的服务级别。

The second approach can be taken by a customer who defines the required QoE, and then determines what level of service will meet that need.

 

图 11.5说明了一个场景,其中用户可以从一系列服务中进行选择,包括所需的服务级别 (SLA)。与纯粹基于 QoS 的管理相比,这里的 SLA 不是用原始网络参数来表示的。相反,用户指定 QoE 目标;服务提供商将此 QoE 目标与所选服务类型一起映射到 QoS 需求。

Figure 11.5 illustrates a scenario where the user can make a selection from a range of services, including the required level of service (SLA). By contrast to the purely QoS-based management, the SLA here is not expressed in terms of raw network parameters. Instead, the user indicates a QoE target; it is the service provider that maps this QoE target together with the type of service selected, onto QoS demands.

 
图像

图 11.5以 QoE 为中心的网络管理

FIGURE 11.5 QoE-Centric Network Management

 

例如,在多媒体流服务的情况下,用户可以简单地在两个 QoE 级别(高或低)之间进行选择。服务提供商选择适当的质量预测模型和管理策略(例如,最小化网络资源消耗)并向运营商转发QoS请求。网络可能无法维持所需的 QoS 级别,从而无法提供所请求的 QoE。这种情况会导致向用户返回信号,从而提示减少服务/QoE 值集。

For instance, in the case of multimedia streaming service, the user may simply choose between two QoE levels (high or low). The service provider selects the appropriate quality prediction model and management strategy (for example, minimize network resource consumption) and forwards a QoS request to the operator. It is possible that the network cannot sustain the required level of QoS, making it impossible to deliver the requested QoE. This situation leads to a signal back to the user, prompting a reduced set of services/QoE values.

 

假设网络可以支持该服务,则可以激活传送。在服务运行期间,两个监视和控制循环同时运行:一个在网络级别,另一个在服务级别。后者允许用户切换到不同级别的 QoE(例如,获得更便宜的服务或要求更高的质量)。如果用户没有产生明确的反馈,则意味着用户感到满意,这证实了质量预测模型正在发挥作用。通过这种方式,质量预测模型在服务交付过程中不断被重新定义,使其能够随着用户需求和设备随时间的变化而发展。

Assuming that the network can support the service, delivery can be activated. During service operation, two monitoring and control loops run concurrently: one at network level and the other at service level. The latter allows the user to switch to a different level of QoE (for example, to get a cheaper service or to request higher quality). If the user generates no explicit feedback, this means that the user is satisfied, which confirms that the quality prediction model is working. In this way, the quality prediction model continues to be redefined during service delivery, allowing it to evolve as user needs and devices change over time.

 

11.9 关键术语

11.9 Key Terms

 

完成本章后,您应该能够定义以下术语。

After completing this chapter, you should be able to define the following terms.

 

特技模式

trick mode

 

认知的

cognitive

 

体验质量测量

QoE measurement

 

上下文的

contextual

 

洞察力

perception

 

主观评价

subjective assessment

 

体验质量

quality of experience

 

事件

Event

 

客观评估

Objective assessment

 

11.10 参考文献

11.10 References

 

ETSI14 ETSI TS 103 294 V1.1.1 语音和多媒体传输质量(STQ);体验质量;监控架构 (2014-12)。

ETSI14: ETSI TS 103 294 V1.1.1 Speech and Multimedia Transmission Quality (STQ); Quality of Experience; A Monitoring Architecture (2014-12).

 

MOLL12 Moller, S.、Callet, P. 和 Perkis, A.“关于体验质量定义的 Qualinet 白皮书”,欧洲多媒体系统和服务体验质量网络(COST Action IC 1003)(2012 年)。

MOLL12: Moller, S., Callet, P., and Perkis, A. “Qualinet White Paper on Definitions on Quality of Experienced,” European Network on Quality of Experience in Multimedia Systems and Services (COST Action IC 1003) (2012).

 

QUIN12 MRQuintero, M. 和 Raake, A.“在评估质量时考虑受试者的知识和专业知识程度是否足够?” 第四届多媒体体验质量国际研讨会 (QoMEX),第 194,199 页,2012 年 7 月 5[nd]7 日。

QUIN12: M.R.Quintero, M., and Raake, A. “Is Taking into Account the Subjects’ Degree of Knowledge and Expertise Enough When Rating Quality?” Fourth International Workshop on Quality of Multimedia Experience (QoMEX), pp.194,199, 5[nd]7 July 2012.

 

第 12 章QoS 和 QoE 的网络设计含义

Chapter 12. Network Design Implications of QoS and QoE

 

作者:索菲恩·杰拉西

By Sofiene Jelassi

 

突尼斯莫纳斯提尔大学助理教授

Assistant Professor, University of Monastir, Tunisia

 

但一些奇妙的经历扰乱了他天生的镇静,并在他竖起的头发、他通红、愤怒的脸颊以及他慌乱、兴奋的态度中留下了痕迹。

But some amazing experience had disturbed his native composure and left its traces in his bristling hair, his flushed, angry cheeks, and his flurried, excited manner.

 

—— 《紫藤小屋历险记》,阿瑟·柯南·道尔爵士

The Adventure of Wisteria Lodge, Sir Arthur Conan Doyle

 

本章目标 学习完本章后,您应该能够

 

图像将指标从 QoS 转换到 QoE 域。

 

图像为给定的操作情况选择适当的 QoE/QoS 映射模型。

 

图像在给定的基础设施上部署以 QoE 为中心的监控解决方案。

 

图像在以 QoE 为中心的基础设施上部署 QoE 感知应用程序。

 

Chapter Objectives: After studying this chapter, you should be able to

 

Translate metrics from QoS to QoE domain.

 

Select the appropriate QoE/QoS mapping model for a given operational situation.

 

Deploy QoE-centric monitoring solutions over a given infrastructure.

 

Deploy QoE-aware applications over QoE-centric infrastructure.

 
 

本章总结了第四部分,将服务质量 (QoS) 和体验质量 (QoE) 的概念结合在一起,并讨论了使用这两个概念的实际含义。

This chapter concludes Part Four by bringing together the concepts of quality of service (QoS) and quality of experience (QoE) and discussing the practical implications of employing these two concepts.

 

本章的结构如下:12.1节从实用角度对现有的QoS/QoE映射模型进行了分类。12.2节列举了一些用于视频服务的面向IP的QoE/QoS映射模型。12.3 节讨论了可用于向网络和服务添加 QoE 功能的方法。第 12.4 节第 12.5节分别描述了以 QoE 为中心的监控和管理解决方案。

The chapter is organized as follows; section 12.1 classifies existing QoS/QoE mapping models from practical perspectives. Section 12.2 enumerates few IP-oriented QoE/QoS mapping models used for video services. Section 12.3 discusses approaches that could be used to add QoE capability to networks and services. Sections 12.4 and 12.5 describe respectively QoE-centric monitoring and management solutions.

 

12.1 QoE/QoS映射模型分类

12.1 Classification of QoE/QoS Mapping Models

 

通常,数学模型用于定义 QoS 和 QoE 之间的经验关系。这些模型在下文中将被称为QoE/QoS映射模型质量模型。它们是使用将模型拟合到数据集的经典方法得出的,例如回归、人工神经网络和贝叶斯网络。如今,文献中报道了多种 QoE/QoS 映射模型。它们在输入、工作模式、精度和应用领域方面有所不同。QoE/QoS 映射模型的应用领域主要取决于它们的输入。QoE/QoS 映射模型可以根据其输入分为三类:

Typically, mathematical models are used to define the empirical relationship between QoS and QoE. These models will be referred to hereafter as either QoE/QoS mapping models or quality models. They are derived using classical approaches that fit a model to a dataset, such as regression, artificial neural network, and Bayesian network. Today, a wide range of QoE/QoS mapping models are reported in the literature. They differ in term of their inputs, working modes, accuracy, and application areas. The application area of QoE/QoS mapping models depends mostly on their inputs. QoE/QoS mapping models can be classified according to their inputs into three categories:

 

图像基于黑盒媒体的模型

Black-box media-based models

 

图像基于玻璃盒参数的模型

Glass-box parameter-based models

 

图像基于灰盒参数的模型

Gray-box parameter-based models

 

以下各节描述了这些模型。

The sections that follow describe these models.

 

基于黑盒媒体的 QoS/QoE 映射模型

Black-Box Media-Based QoS/QoE Mapping Models

 

基于黑盒媒体的质量模型依赖于对系统入口和出口处收集的媒体的分析。因此,它们隐含地解释了所检查的媒体处理系统的特征。它们分为两类:

Black-box media-based quality models rely on the analysis of media gathered at system entrance and exit. Hence, they account implicitly for the characteristics of examined media processing system. They are classified into two categories:

 

图像 双面或全参考质量模型:它们使用干净刺激和相应的降级刺激作为输入(参见图 12-1的 a 部分)。他们比较了感知领域中的干净刺激和退化刺激,从而解释了人类感觉系统的心理物理学能力。感知域是根据用户感知特征对传统物理时域和频域进行的变换。基本上,感知距离越大,退化程度就越大。该模型需要调整干净的刺激和退化的刺激,因为比较是在每个块的基础上制作的。刺激对齐应该自主实现,即不需要添加描述刺激结构的额外控制信息。

Double-sided or full-reference quality models: They use as inputs the clean stimulus and the corresponding degraded stimulus (see part a of Figure 12-1). They compare the clean and degraded stimulus in a perceptual domain that accounts for psychophysics capability of human sensory system. The perceptual domain is a transformation of traditional physical temporal and frequency domains performed according to characteristics of users perceptions. Basically, the larger the perceptual distance, the greater the degradation level. This model needs to align clean and degraded stimulus because the comparison is made on per-block basis. The stimulus alignment should be realized autonomously, that is, without adding extra control information describing stimulus structure.

 
图像

图 12.1基于黑盒媒体的 QoS/QoE 映射模型

FIGURE 12.1 Black-Box Media-Based QoS/QoE Mapping Models

 

图像 单边或无参考质量模型:它们仅依靠降级的刺激来估计最终的 QoE 值。他们解析降级的刺激以提取观察到的失真,这取决于媒体类型,例如音频、图像和视频。例如,从音频刺激中提取的伪像包括口哨、电路噪声、回声、电平饱和、拍手、中断和暂停(参见图 11-1的 b 部分)。收集到的失真经过充分组合和转换以计算 QoE 值。

One-sided or no-reference quality models: They rely solely on the degraded stimulus to estimate the final QoE values. They parse the degraded stimulus to extract the observed distortions, which are dependent on the media type, for example, audio, image and video. As an example, artifacts extracted from audio stimulus include whistle, circuit noises, echoes, level saturation, clapping, interruptions, and pauses (see part b of Figure 11-1). The gathered distortions are adequately combined and transformed to compute the QoE values.

 

黑盒质量模型的主要优点在于它们能够使用在给定媒体处理系统外围收集的信息来测量 QoE 值。因此,它们可以以通用方式在不同的基础设施和技术上使用。这避免了底层系统复杂且繁琐的测量过程。此外,它还能够增强无条件质量模型,即独立于与测量过程相关的技术和道德约束。此外,黑盒质量模型可以轻松地在每个用户或每个内容的基础上运行。

The main advantage of black-box quality models resides in their ability to measure QoE values using information gathered at the periphery of a given media processing system. Hence, they may be used in a generic fashion over different infrastructures and technologies. This sidesteps a complex and cumbersome measuring process of the underlying systems. Moreover, it enables enhancing unconditionally quality models, that is, independently of technical and ethical constraints related to the measurement processes. Furthermore, black-box quality models may easily operate on either per-user or per-content basis.

 

黑盒质量模型的主要缺点在于需要访问刺激的最终表示,而在实践中由于隐私原因通常无法访问。此外,全参考质量模型使用干净的刺激作为输入,而系统输​​出通常不可用或难以访问。使用无参考质量模型可以避免这个问题,但其未经证实且不稳定的性能限制了其有效性。

The main shortcoming of black-box quality models resides in the requirements to access the final representation of stimulus, which is often inaccessible in practice for privacy reasons. Moreover, full-reference quality models use clean stimulus as inputs that is often unavailable or hardly accessible at the system output. This issue may be sidestepped using no-reference quality models, but their unproved and instable performance confines their effectiveness.

 

全参考黑盒质量模型广泛用于网络设备的现场基准测试、诊断和调优,可以提供干净的激励。无参考质量模型可用于相同目的,但其有限的准确性降低了其结果的可信度。黑盒质量模型离线用于评估应用层组件,例如编解码器、丢包隐藏 (PLC) 和缓冲方案。此外,无参考黑盒质量模型可在线用于 QoE 监控。

The full-reference black-box quality models are widely used for onsite benchmarking, diagnosis, and tuning of network equipments, where clean stimulus is available. The no-reference quality models may be used for the same purposes, but their limited accuracy reduces their results credibility. The black-box quality models are used offline for the evaluation of application-layer components, such as codec, packet loss concealment (PLC), and buffering schemes. In addition, the no-reference black-box quality models may be used online for QoE monitoring.

 

基于 Glass-Box 参数的 QoS/QoE 映射模型

Glass-Box Parameter-Based QoS/QoE Mapping Models

 

基于玻璃盒参数的质量模型通过底层传输网络和边缘设备的完整特征来量化给定服务的 QoE。所考虑的表征参数集及其组合规则是基于广泛的主观实验和彻底的统计分析得出的。基于玻璃盒参数的模型可以根据给定测量时刻表征参数的可用性离线或在线操作。表征参数包括噪声、丢包、编码方案、单向延迟和延迟抖动。基于玻璃盒参数的模型通常比基于黑盒媒体的模型更不准确且更粗糙。

The glass-box parameter-based quality models quantify the QoE of a given service through the full characterization of the underlying transport network and edge devices. The set of considered characterization parameters and their combination rules are derived based on extensive subjective experiments and thorough statistical analysis. The glass-box parameter-based models may operate off line or on line according to the availability of characterization parameters at a given measurement instant. The characterization parameters include noise, packet loss, coding scheme, one-way delay, and delay jitter. The glass-box parameter-based models are generally less accurate and coarser than black-box media-based ones.

 

ITU-T 在 Rec. 中定义了一种著名的基于离线玻璃盒参数的模型,称为 E-Model。G.10​​7。E-模型旨在估计通过规划的传输基础设施传输的语音呼叫的 QoE(E-模型,一种用于传输规划的计算模型),2007)。E-Model 的流行版本包括 21 个基本特征参数。E-Model 提供了一个称为评级因子 R 的单一标量值,其介于 0(最差质量)和 100(极好质量)之间。实际上,应避免任何导致额定系数低于 60 的设计传输配置。在这种情况下,应采取适当的措施来提高语音通话的 QoE。基本表征参数分为同时损伤因子、设备损伤因子和时延损伤因子,分别表示为I s、I e和I d。它对取决于语音信号特性的损伤进行量化,例如量化和压缩量化设备造成的损害,例如数据包丢失或中断。Id量化延迟和回声造成的损害。ITU-T 建议书。G.10​​7给出了每个基本参数的范围值和数学表达式,可以计算每个损伤因子的值。出于简化原因,E 模型假设损伤因素的感知影响在心理尺度上是相加的。因此,最终的评分R由下式给出:R = R 0 – I s – I e – I d,其中R 0指的是无失真条件下的用户满意度。

A well-known offline glass-box parameter-based model, named E-Model, has been defined by the ITU-T in Rec. G.107. E-Model aims at estimating QoE of voice calls transmitted over a planned transport infrastructure (The E-Model, A Computational Model for Use in Transmission Planning, 2007). The prevailing version of E-Model includes 21 basic characterization parameters. E-Model provides a single scalar value referred to as rating factor R that lies between 0 (worst quality) and 100 (excellent quality). In practice, any designed transport configurations that result in a rating factor below 60 should be avoided. In such a case, adequate actions should be undertaken to enhance QoE of voice calls. The basic characterization parameters are classified into simultaneous, equipment, and delay impairment factors, denoted respectively as Is, Ie, and Id. Is quantifies the impairments that depends on characteristics of voice signals, such as quantification and compression. Ie quantifies the impairments caused by equipments, such as packet loss or interruption. Id quantifies the impairment caused by delays and echoes. ITU-T Rec. G.107 gives the range values of each basic parameter and the mathematical expressions, which enable computing the value of each impairment factor. For simplification reasons, E-Model assumes that the perceived effects of impairment factors are additive on a psychological scale. Thus, the final rating score R is given by, R = R0 – Is – Ie – Id, where R0 refers to user satisfaction under no-distortion condition.

 

基于离线玻璃盒参数的质量模型适用于规划目的。它们可以在早期阶段对语音传输系统的 QoE 值进行总体概述。然而,对于服务监控和管理,需要在线模型。在这种情况下,应该在运行时获取可变模型参数。这特别适合基于 IP 的服务,其中控制数据(例如序列号和时间戳)包含在每个数据包标头中。在这样的环境中,可以从信令消息中提取静态特征参数,并从在目的地端口捕获的接收到的数据包中提取可变特征参数。这意味着无需访问媒体内容即可获取参数,出于隐私原因,这是优选的。此类模型将在第 12.2 节

The offline glass-box parameter-based quality models are suitable for planning purposes. They enable a general overview pf QoE values of a voice transmission system at an early phase. However, for service monitoring and management, online models are needed. In such a case, the variable model parameters should be acquired at run time. This is especially suitable for IP-based services where control data, such as sequence number and time stamp, are included in each packet header. In such an environment, it is possible to extract static characterization parameters from signaling messages and variable ones from the received packets captured at the destination port. This means that parameters are acquired without acceding to the media content, which is preferable for privacy reasons. This class of models will be considered in more detail in Section 12.2.

 

灰盒 QoS/QoE 映射模型

Gray-Box QoS/QoE Mapping Models

 

灰盒质量模型结合了黑盒和玻璃盒映射模型的优点。除了描述干净刺激结构的一些控制数据之外,他们还对系统输出的基本特征参数进行采样(见图12.2)。控制数据可以在单独的控制数据包中发送或者捎带在传输的媒体数据包内。因此,质量模型可以考虑有关给定内容的感知上重要的信息。因此,他们可以根据每个内容来衡量 QoE 值。鉴于其部署简单性和合理的准确性,此类 QoS/QoE 映射模型正在迅速普及。

The gray-box quality models combine advantages of black- and glass-box mapping models. They sample basic characterization parameters at system output in addition to some control data describing the structure of clean stimulus (see Figure 12.2). The control data may be sent in separate control packets or piggybacked inside transmitted media packets. Hence, perceptually important information about a given content can be considered by the quality models. Therefore, they can measure QoE value on per-content basis. Given its simplicity to deploy and its reasonable accuracy, this class of QoS/QoE mapping models is quickly proliferating.

 
图像

图 12.2灰盒 QoS/QoE 映射模型

FIGURE 12.2 Gray-Box QoS/QoE Mapping Models

 

通常,爱立信、德国电信和英国电信等大型电信运营商会开发其专有的 QoS/QoE 映射模型及其配套软件工具,以获取、记录和分析满足其特定需求的测量结果。然而,大多数电信运营商将其运输基础设施、服务和设备的评估任务委托给专门的机构。GL、OPTICOM、Telchemy 和 HEAD Acoustics 等公司。实际上,应该维护和发展 QoS/QoE 映射模型,以适应新技术或使用环境。

Typically, large telecom operators, such as Ericsson, Deutsch Telekom, and British Telecom, develop their propriety implementations of QoS/QoE mapping models and their companion software tools to acquire, record, and analyze measures that satisfy their specific needs. However, the majority of telecom operators delegate the task of assessment of their transport infrastructure, services, and equipments to specialized corporations, such as GL, OPTICOM, Telchemy, and HEAD Acoustics. In reality, QoS/QoE mapping models should be maintained and evolved to account for a new technology or usage context.

 

QoS/QoE 映射模型选择的技巧

Tips for QoS/QoE Mapping Model Selection

 

以下五个项目的清单可以帮助选择 QoS/QoE 映射模型:

The following checklist of five items can aid in the selection of a QoS/QoE mapping model:

 

图像我正在考虑哪些类型的操作?

Which types of operations am I considering?

 

图像我有哪些参数?我可以访问信号、内容、数据包有效负载或标头吗?

Which parameters do I have? Can I access the signals, the contents, the packet payload or the header?

 

图像我是否期望使用给定映射模型的规格和使用条件?

Do I expect specifications and usage conditions to use a given mapping model?

 

图像我需要多少精度?

How much precision do I need?

 

图像我是否拥有可用于所选映射模型的所有输入?

Do I have all inputs available for selected mapping models?

 

12.2 面向IP的基于参数的QoS/QoE映射模型

12.2 IP-Oriented Parameter-Based QoS/QoE Mapping Models

 

测量 IP 网络和应用的 QoE 领域仍处于起步阶段。然而,多媒体和用户友好的基于 IP 的服务的普及使 QoE 成为当今生态系统的关注焦点。与传统的面向内容的电信系统(例如,公共交换电话网络 [PSTN]、无线电和电视)相比,IP 网络使用由标头和组成的媒体数据包流将干净的媒体内容从服务器传送到目的地。有效负载。因此,除了应用层之外,在网络层收集的参数可以在用户设备上运行时轻松访问。这样可以使用基于在线玻璃或灰盒参数的质量模型在运行时测量 QoE。与大致不随时间变化的电信网络相比,基于 IP 的网络的 QoE 是随时间变化的。这一特性导致需要考虑瞬时和整体 QoE。前者是指在较短的时间间隔(大约 8 到 20 秒)内观察到的 QoE。后者是指在整个会话期间观察到的总体 QoE(按 1 到 3 分钟的顺序)。接下来的部分给出了基于 IP 视频流应用的在线玻璃盒参数质量模型的示例。

The area of measuring QoE of IP networks and applications is still in its infancy. However, the popularity of multimedia and user-friendly IP-based services puts QoE at the center of interest of today’s ecosystem. In contrast to legacy content-oriented telecom systems (for example, public switched telephone network [PSTN], radio, and TV), IP networks carry clean media content from a server to a destination using a flow of media packets composed of a header and a payload. Therefore, parameters gathered at network layer, in addition to application layer, are easily accessible at run time on user devices. This enables measuring QoE at run time using online glass- or gray-box parameter-based quality models. The QoE over IP-based networks are time-varying in contrast to telecom networks, which are roughly time-invariant. This characteristic leads to considering instantaneous and overall QoE. The former refers to the observed QoE over a short time interval, on the order of 8 to 20 seconds. The latter refers to the overall QoE observed throughout a whole session in order of 1 to 3 minutes. The next sections give examples of online glass-box parameter-based quality models of IP-based video streaming applications.

 

视频服务的网络层 QoE/QoS 映射模型

Network Layer QoE/QoS Mapping Models for Video Services

 

网络层 QoS/QoE 映射模型仅依赖于从 TCP/IP 堆栈收集的 NQoS 指标,应用层(即传输层、网络层、链路层和物理层)除外。在 2010 年的一篇论文中,Ketyko 等人。提出了以下基于参数的质量模型来估计 3G 环境中的视频流质量 [ KETY10 ]:

The network layer QoS/QoE mapping models rely solely on NQoS metrics gathered from the TCP/IP stack except for the application layer (that is, transport, network, link, and physical layers). In a 2010 paper, Ketyko et al. proposed the following parameter-based quality model for estimating video streaming quality in 3G environment [KETY10]:

 
图像

其中AL和VL分别表示音频和视频丢包率,AJ和VJ分别表示音频和视频数据包抖动(VJ),RSSI是接收信号强度指标。Kim 和 Choi 在 2014 年发表的论文提出了一种针对 3G 网络上的 IPTV 的两阶段 QoE/QoS 映射模型 [ KIM14 ]。第一阶段包括将一组基本 QoS 参数组合成一个指标,如下所示:

where AL and VL refer respectively to audio and video packet loss rates, AJ and VJ represent respectively audio and video packet jitter (VJ), and RSSI is the received signal strength indicator. A 2014 paper by Kim and Choi presented a two-stage QoE/QoS mapping model for IPTV over 3G networks [KIM14]. The first stage consists of combining a set of basic QoS parameters into one metric as follows:

 
图像

其中L、U、J、D和B分别指数据包丢失、突发级别、数据包抖动、数据包延迟和带宽。常数K、W I、W u、W J、W d和W b是预定义的加权系数,其取决于接入网络的类型(即,有线或无线)。第二阶段包括计算 QoE 值,如下所示:

where L, U, J, D, and B refer, respectively, to packet loss, burst level, packet jitter, packet delay, and bandwidth. The constants K, WI, Wu, WJ, Wd and Wb are predefined weighting coefficients, which depend on the type of the access network (that is, wired or wireless). The second stage consists of computing QoE value as following:

 
图像

其中,X是参数{L,U,J,D,B}的向量,Q r是限制作为屏幕的显示尺寸/分辨率的函数获得的IPTV QoE范围的标量。常数A表示订阅的服务类别,R是反映视频帧结构的常数。

where, X is a vector of parameters {L, U, J, D, B} and Qr is a scalar limiting the range of the IPTV QoE obtained as a function of the display size/resolution of the screen. The constant A expresses the subscribed service class and R is a constant reflecting the structure of the video frames.

 

视频服务的应用层 QoE/QoS 映射模型

Application Layer QoE/QoS Mapping Models for Video Services

 

除了 NQoS 参数之外,应用层 QoE/QoS 映射模型还使用在应用层 (AQoS) 收集的指标。此外,它们可以解释用户在与给定视频内容交互时的行为。在 Ma 等人 2014 年的一篇论文中,针对视频流应用提出了以下基于参数的质量模型 [ MA14 ]:

Besides NQoS parameters, application layer QoE/QoS mapping models use metrics gathered at application layers (AQoS). Moreover, they can account for the user behavior while interacting with a given video content. In a 2014 paper by Ma et al., the following parameter-based quality model is presented for video streaming application [MA14]:

 
图像

其中Lx指的是启动延迟,即播放视频序列之前的等待时间,N QS是质量开关的数量,用于统计会话期间视频比特率改变的次数,N RE是重新缓冲事件的数量,T MR是平均重新缓冲时间。Khan 等人在 2009 年的一篇论文中报告了以下基于参数的质量模型,使用 MPEG4 编解码器 [KHAN14] 估计无线网络上通用流媒体内容视频的 QoE:

where Lx refers to the start-up latency, that is, the waiting time before playing a video sequence, NQS is the number of quality switches that count the number of times the video bit rate is changed during a session, NRE is the number of rebuffering events, and TMR is the mean rebuffering time. The following parameter-based quality models, reported in a 2009 paper by Khan et al., estimate QoE of a generic streamed content video over wireless networks using MPEG4 codec [KHAN14]:

 
图像

其中FR、SBR和PER分别指应用层采样的帧率、发送比特率和网络层采样的误包率。系数a 1至a 5用于校准质量模型。该模型已更新,可考虑三种类型的视频内容:轻微移动、轻柔行走和快速移动。质量模型由下式给出:

where FR, SBR, and PER refer, respectively, to the frame rate sampled at the application level, sent bit rate, and packet error rate sampled at the network level. The coefficients a1 to a5 are used to calibrate the quality model. This model has been updated to account for three types of video content: slight movement, gentle walking, and rapid movement. The quality model is given by the following:

 
图像

其中a、b、c、d、e、f、g表示常数;CT是视频的内容类型;SBR和BLER分别指发送比特率和比特丢失错误率。该模型是为使用 H.264 视频编解码器通过 UMTS 网络传输的视频流服务而开发的。

where a, b, c, d, e, f, g represent constants; CT is the content type of the video; and SBR and BLER refer respectively to the sent bit rate and the bit loss error rate. This model was developed for video streaming service transmitted over UMTS networks using H.264 video codec.

 

Kuipers 等人开发了 IPTV 的 QoE/QoS 映射模型。[ KUIP10 ],它考虑了启动延迟和切换时间。后者被定义为电视频道的变化频率。质量模型由以下给出

A QoE /QoS mapping model for IPTV was developed by Kuipers et al. [KUIP10], which accounts for the start-up latency and zapping time. The latter is defined as the change frequency of TV channels. The quality model in given by the following

 
图像

其中 QoE切换是考虑切换行为的一维 QoE 组件,ZT 是以秒表示的切换时间,a 和 b 是可能为正或负的数字常量。最后,Hossfeld 等人提出了以下基于参数的质量模型。[ HOSS13 ] 考虑了停顿事件,这些事件被定义为渲染视频流中的非自愿暂停。质量模型由下式给出:

where QoEzapping is a one-dimension QoE component considering zapping behaviour, ZT is the zapping time expressed in seconds, and a and b are numeric constants that might be positive or negative. Finally, the following parameter-based quality models proposed by Hossfeld et al. [HOSS13] accounts for stalling events, which are defined as involuntary pauses in the rendered video streams. The quality model is given by the following:

 
图像

其中 L 指平均失速持续时间,N 是失速事件的数量。

where L refers to average stalling duration and N is the number of stalling events.

 

12.3 基于 IP 的网络上可行的 QoE

12.3 Actionable QoE over IP-Based Networks

 

本节介绍可操作的 QoE,它指的是能够具体测量和利用 QoE 指标的所有技术和机制。可操作的 QoE 超越了 QoE 定义和测量,转向 QoE 开发。可行的 QoE 解决方案在很大程度上取决于底层系统和服务特征。此外,可操作的 QoE 解决方案可在集成数据、控制和管理平面的多平面架构上运行。基本上,可以使用两种解决方案来实现可操作的 QoE:

This section introduces actionable QoE, which refers to all techniques and mechanisms enabling to concretely measure and utilize QoE metrics. Actionable QoE goes beyond QoE definition and measurement toward QoE exploitation. An actionable QoE solution strongly depends on the underlying system and services characteristics. Moreover, actionable QoE solution works over multiplane architectures that integrate data, control, and management planes. Basically, two solutions may be used to achieve actionable QoE:

 

图像面向系统、可操作的 QoE 解决方案

System-oriented actionable QoE solution

 

图像面向服务的可操作的 QoE 解决方案

Service-oriented actionable QoE solution

 

面向系统、可操作的 QoE 解决方案

The System-Oriented Actionable QoE Solution

 

面向系统的可操作 QoE 解决方案考虑了交付基础设施内的 QoE 措施。在这种情况下,服务是在假设底层系统是完美的情况下进行设计的;也就是说,不插入任何降级。图 12.3说明了可以提供面向系统的可操作 QoE 解决方案的标称环境。可以看出,可操作的 QoE 解决方案需要 (1) 收集基本关键性能指标的QoS 测量模块(KPI)来自底层系统,(2)QoE/QoS映射模型,(3)受控设备的资源管理模块。每个服务提供商都会指定应为其客户提供的目标 QoE 级别。QoE/QoS 映射模型的选择应保证 (a) 质量模型输入参数的可用性以及 (b) 符合服务规范和条件。可以执行信令过程来做到这一点。管理过程可以在开始服务之前或在其交付期间执行。它涉及给定基础设施提供的所有可配置参数的规范,例如优先级、标记阈值、流量整形等。这应该通过自主决策系统来实现,

The system-oriented actionable QoE solutions account for QoE measures within the delivery infrastructure. In such a condition, services are engineered while assuming that underlying system is perfect; that is, no degradations are inserted. Figure 12.3 illustrates a nominal environment where system-oriented actionable QoE solution may be provided. As can be seen, actionable QoE solution requires (1) a QoS measurement module that gathers basic key performance indicators (KPIs) from the underlying system, (2) a QoE/QoS mapping model, and (3) a resource management module of controlled devices. Each service provider specifies a target QoE level that should be offered for its customers. The QoE/QoS mapping model should be selected in a way that guarantees (a) the availability of quality model input parameters and (b) conformity with service specifications and conditions. A signaling procedure may be executed to do that. The management procedure may be executed either before starting a service or during its delivery. It involves specifications of all configurable parameters provided by a given infrastructure, such as priority, marking threshold, traffic shaping, and so on. This should be realized using an autonomous decision system, including a policy that maps observed QoE measures to a course of actions executed by managed devices.

 
图像

图 12.3提供以 QoE 为中心的服务的标称环境

FIGURE 12.3 A Nominal Environment for Providing QoE-Centric Services

 

此操作模式非常适用于软件定义网络 (SDN),其中网络路径由 SDN 控制器管理。在这种情况下,测量的 QoE 值将报告给 SDN 控制器,SDN 控制器使用它们来定义 SDN 交换机的行为。SDN 控制器应包括 QoE 策略和规则模块,该模块 (1) 检查是否在每个用户/每个流的基础上遵守约定的 QoE 级别,以及 (2) 指定应用于转发用户流的 SDN 路径。QoE 策略和规则模块应考虑服务跨越 SDN 支持和不支持领域的情况。

This operational mode applies well for software-defined networking (SDN) where the network paths are managed by an SDN controller. In such a case, the measured QoE values are reported to the SDN controller, which uses them to define the behavior of SDN switches. The SDN controller should include a QoE policy and rules module that (1) checks whether the contracted QoE level is respected on a per-user/per-flow basis and (2) specifies SDN paths that should be used to forward users flows. The QoE policy and rules module should consider situations where services cross SDN-supported and -unsupported realms.

 

面向服务、可操作的 QoE 解决方案

The Service-Oriented Actionable QoE Solution

 

面向服务的可操作 QoE 解决方案考虑了在端点和服务级别测量的 QoE 值(见图12.4)。在这种情况下,服务被设计为处理底层系统缺陷,以达到指定的 QoE 水平。服务可能会根据当前上下文和条件改变其行为。KPI测量模块安装在端点上。QoE/QoS 映射模型可以部署在端点或专用设备上。测量的 QoE 值被发送到端点,以在发送方、代理和接收方实体处配置不同的应用程序模块。

The service-oriented actionable QoE solutions account for QoE values measured at endpoints and service level (see Figure 12.4). In such a situation, services are engineered to deal with the underlying system flaws to reach a specified QoE level. The services may change their behavior as a function of the current context and condition. The measurement module of KPI is installed on endpoints. The QoE/QoS mapping models may be deployed either on endpoints or specialized devices. The measured QoE values are sent to endpoints to configure different application modules at sender, proxy, and receiver entities.

 
图像

图 12.4服务感知 QoE 部署方案

FIGURE 12.4 Service-Aware QoE Deployment Scheme

 

面向服务、可操作的 QoE 解决方案具有多种优势。首先,执行按服务、按用户和按内容的 QoE 监控和管理解决方案,以提供给定的 QoE 级别。其次,它提供了更多的适应可能性,因为它精确地识别了每个服务组件的能力和角色。第三,它减少了通信开销并平衡了计算负载。最后,除了流和数据包级粒度之外,它还支持 QoE 的组件级粒度处理。然而,该解决方案无法应用于已经运行的服务,并且导致服务设计和工程的复杂性更高。

The service-oriented actionable QoE solution involves multiple advantages. First, per-service, per-user, and per-content QoE monitoring and management solutions are performed to provide a given QoE level. Second, it provides more adaptation possibility because it precisely discerns capability and the role of each service component. Third, it reduces the communication overhead and balances computing loads. Finally, it enables component-level granularity treatment of QoE in addition to stream- and packet-level granularities. However, this solution cannot be applied to already running services and results in higher complexity in service design and engineering.

 

12.4 QoE 与 QoS 服务监控

12.4 QoE Versus QoS Service Monitoring

 

监控是当今 IT 系统应该支持的一项战略功能。它返回指标并提供有关系统性能及其工作负载的线索。此外,它还可以检测系统功能障碍和缺陷以及性能不佳的设备和应用程序,以便采取最佳行动方案。目前IT系统的监控方案可分为以下四类(见图12-5):

Monitoring is a strategic function that should be supported by today’s IT system. It returns indicators and provides clues regarding the system performance and its workload. Moreover, it enables detecting system dysfunction and defects as well as underperforming devices and applications so that the best course of actions may be undertaken. The monitoring solutions of current IT systems may be classified into the following four categories (see Figure 12-5):

 
图像

图 12.5监控解决方案的分类

FIGURE 12.5 A Classification of Monitoring Solutions

 

图像 网络监控:提供有关用于传送媒体单元的路径和链路性能的测量。它们在数据包处理设备(路由器和交换机)处收集,并且可以在每个流或每个数据包的基础上运行。路径特征指标(例如吞吐量、数据包丢失、重新排序和重复、延迟和抖动)是使用从数据包标头提取的原子指标(例如序列号和时间戳)来计算的。

Network monitoring: Provides measures about performance of paths and links used to deliver media units. They are collected at packet processing devices (router and switch) and may operate on per-flow or per-packet bases. The path characterization metrics, such as throughput, packet loss, reorder and duplication, delay, and jitter, are calculated using atomic metrics extracted from packet header, such as sequence number and time stamps.

 

图像 基础设施监控:提供有关设备性能和资源状态的度量,例如内存、CPU、IO、负载等。

Infrastructure monitoring: Provides measures about devices performance and resources state, such as memory, CPU, IO, load, and so on.

 

图像 平台监控:提供后端服务器运行的计算中心的性能指标。他们可以在虚拟化基础设施上工作,其中使用虚拟机部署业务应用程序逻辑。

Platform monitoring: Provides performance indicators about the computing center where back-end servers are running. They may work over a virtualized infrastructure where business application logics are deployed using virtual machines.

 

图像 服务监控:提供有关服务性能的度量。这些指标取决于每个应用程序,并且可以从技术或感知角度实现。

Service monitoring: Provides measures about services performance. The metrics are dependent on each application, and may be realized from technical or perceptual perspectives.

 

通常,分布式系统中的监控解决方案涉及各种探测器衡量参与服务交付链的给定元素的性能。它们按照特定的策略分布和部署在系统上。此外,它还包括一个可靠且可扩展的管理器,可以远程配置探测行为,特别是在测量报告的频率和内容方面。通常,探测器内置在给定的受管设备或组件(例如 SNMP 代理)中。它们可以由网络或系统管理员配置以适应特定的环境要求。通常,探测器发送原子和基本指标,这些指标由管理器转换为人类友好的指标。管理器按照特定表示记录所有度量并将它们保存在特定位置。

Typically, the monitoring solution in a distributed system involves a variety of probes that measure the performance of a given element participating in the service delivery chain. They are distributed and deployed over the system following a particular policy. Moreover, it includes a reliable and scalable manager that remotely configures probe behavior, especially in terms of the frequency and content of measurement reports. Often, probes are built in a given managed device or component (for example, SNMP agent). They may be configured by the network or system administrators to fit specific environment requirements. Typically, probes send atomic and elementary metrics that are transformed by the manager into human-friendly metrics. The manager logs all measures following a specific representation and saves them at a specific location.

 

监控解决方案应提供管理器和被管理设备之间的通信设施。管理器和被管理实体之间的交互通常是通过几个保留端口使用无连接用户数据报协议(UDP)来实现的。它已经发展成为一种短期 HTTP 连接。探针被定义为可由管理器调用的 RESTful 服务。此外,交换的报告可以在带内或带外实现。第一种策略共享用于数据传输的资源,但第二种策略使用专用且自主的设备和通道来执行监控任务。

The monitoring solution should provide communication facility between the manager and the managed devices. The interaction between the manager and managed entities is conventionally realized using the connectionless User Datagram Protocol (UDP) through a couple of reserved ports. This has been evolved to work as a short-lived HTTP connection. The probes are defined as a RESTful service that may be called by the manager. Moreover, exchanged reports can be realized either in band or out of band. The first strategy shares the resource used for data delivery, but the second one uses a dedicated and autonomous devices and channels to perform monitoring tasks.

 

图12.6介绍了按需监控解决方案的典型配置。经理接收来自客户的使用特定语法表达的监控请求。收到新的监视请求后,管理器会查询通用描述、发现和集成 (UDDI) 目录,以获取有关受监视服务的更多信息,例如位置和属性。监控解决方案(包括一组探测器)部署在给定的基础设施上。一旦在预配置的注册器中激活了受监控的组件,它们就会自动注册。注册商保留所有活动探测器的痕迹和特征。它们应该由管理员离线配置,以根据服务期间的给定行为报告指标。

Figure 12.6 presents a typical configuration of an on-demand monitoring solution. The manager receives monitoring requests from customers expressed using specific syntax. Upon the receipt of a new monitoring request, the manager inquires with a Universal Description, Discovery, and Integration (UDDI) directory to get more information about the monitored service, such as location and properties. The monitoring solution, including a set of probes, is deployed over a given infrastructure. They register themselves automatically once a monitored component is activated in a preconfigured registrar. The registrar keeps traces and features of all active probes. They should be configured off line by the administrator to report metrics according to a given behavior during a service. The metrics generated by the probes may be aggregated and processed before sending them to the manager that performs data analytic procedure.

 
图像

图 12.6基线和通用监控解决方案

FIGURE 12.6 A Baseline and Generic Monitoring Solution

 

传统的 QoS 指标可以在网络、基础设施、平台和服务层进行测量。然而,QoE 指标可能仅在服务层进行测量,在服务层可以与最终用户进行交互。接下来的部分介绍 QoS 和 QoE 监控解决方案的最新技术和趋势。

The traditional QoS metrics may be measured at network, infrastructure, platform, and service layers. However, QoE metrics may be only measured at the service layer, where it is possible to interact with final users. The next sections present recent technologies and trends in QoS and QoE monitoring solutions.

 

服务质量监控解决方案

QoS Monitoring Solutions

 

新兴的QoS监控解决方案基本上都是针对支持虚拟化技术的数据中心和云开发的。图12.7展示了为基于云的 IPTV 服务构建的网络和基础设施级监控解决方案。视听内容服务器放置在云端。从内容服务器发送到 IPTV 设备的流量通过网络上部署的一组 Vprobe 进行永久监控。Vprobe 是一种开放式调查工具,用于在云环境中检查、记录和计算虚拟机管理程序以及运行服务业务逻辑的每个虚拟机的状态。视频数据包流在不同的测量点进行解析。Vprobes 收集的信息接下来用于重建服务级别详细记录 (SDR)。每个记录包含源(服务器)和目的地(用户)之间完整会话的最相关信息。

The emerging QoS monitoring solutions are basically developed for data centers and clouds where virtualization technology is supported. Figure 12.7 shows a network- and infrastructure-level monitoring solution built for cloud-based IPTV service. The audiovisual content servers are placed on a cloud. The traffic sent from the content servers to IPTV devices is permanently monitored through a set of Vprobes deployed across the network. A Vprobe is an open-ended investigatory tool that is used in the cloud environment to inspect, record, and compute the state of the hypervisor as well as each virtual machine running service business logics. The flows of video packets are parsed at different measurement points. The information collected by Vprobes is used next to reconstruct service-level detailed records (SDRs). Each record contains the most relevant information of the complete session between an origin (server) and a destination (user). The critical parameters of the messages associated with an IPTV session are stored inside the SDRs.

 
图像

图 12.7基于云的 IPTV 网络中的 vProbes 方法

FIGURE 12.7 vProbes Approach in Cloud-Based IPTV Network

 

Amazon 开发了 CloudWatch,这是一个基于 Amazon 云 ( http://aws.amazon.com/cloudwatch/ ) 的绑定监控解决方案。除了客户端应用程序和服务之外,它还可以监控云资源,例如 CPU 和内存利用率。管理员可以收集和跟踪依赖于每个应用程序的自定义指标。Amazon CloudWatch 检索受监控的数据、显示图表并设置警报,以帮助解决故障、执行现场趋势并根据云状态采取自动化的操作过程。

Amazon developed CloudWatch, which is a tied monitoring solution over Amazon cloud (http://aws.amazon.com/cloudwatch/). It can monitor cloud resources, such as CPU and memory utilization, in addition to client applications and services. The administrators can collect and track customized metrics that are dependent on each application. Amazon CloudWatch retrieves the monitored data, displays graphs, and sets alarms to help in resolving troubleshooting, performing spot trends, and taking automated courses of action based on the state of the cloud.

 

QoE 监控解决方案

QoE Monitoring Solutions

 

新兴的 QoE 监控解决方案扩展并调整了 QoS 监控解决方案。如前所述,QoE 监控解决方案强烈依赖于 QoE/QoS 映射模型。此外,与 QoS 监控解决方案相反,QoE 监控不存在一刀切的解决方案。

The emerging QoE monitoring solutions extend and adapt QoS ones. As discussed before, the QoE monitoring solution strongly depends on QoE/QoS mapping models. Moreover, there is no one-size-fits-all solution for QoE monitoring, in opposition with QoS monitoring solutions.

 

图 12.8中的图表显示了可用于在运行时监控基于 IP 的视频流服务的 QoE 值的四种配置。这些配置在测量和映射模型位置方面有所不同。每个配置均使用 XY 表达式表示,其中 X 指测量位置,Y 指质量模型位置。它们可能采用以下值之一:N 表示网络,C 表示客户端,B 表示两者:

The diagrams in Figure 12.8 show four configurations that can be used to monitor at run time the QoE values of IP-based video streaming services. The configurations differ in term of the measurement and mapping model locations. Each configuration is denoted using XY expression, where X refers to the measurement location and Y refers to the quality model location. They may take one of these values: N for network, C for client, and B for both:

 
图像

图 12.8网络中质量模型的操作工作模式

FIGURE 12.8 The Operational Working Modes of Quality Models in Networks

 

A. 静态运行模式(NN): KPI 和 QoE 的测量均在网络内部进行。QoE/QoS 映射模型安装在侦听服务交付路径的设备上(参见图 12.8的 a 部分)。质量模型使用收集的 KPI、有关视频编码方案的先验知识和端点特征。QoE/QoS 映射模型的参数是从传输的媒体数据包中包含的解密信息中提取的。端点的特征可以通过轮询端点或检查交换的 SDP(会话描述协议)消息来获取。QoE 测量点可以包括端点仿真器,能够对接收到的流进行真实的重建。

A. Static operation mode (NN): Both the measurements of KPIs and QoE are performed inside the network. The QoE/QoS mapping model is installed on a device listening to the service delivery path (see part a of Figure 12.8). The quality model uses collected KPIs, prior knowledge about video coding schemes, and endpoint characteristics. The parameters of QoE/QoS mapping models are extracted from decrypted information included in the transmitted media packets. The characteristics of endpoints can be acquired either by polling them or by inspecting exchanged SDP (Session Description Protocol) messages. The QoE measurement points may include an endpoint emulator enabling a realistic reconstruction of received streams.

 

B. 非嵌入式动态操作(BN): KPI 的测量在网络和客户端上执行,而 QoE 值在网络内部测量(参见图 12.8的 c 部分)。质量模型使用收集的 KPI、有关编码方案的先验知识以及使用定制信令协议获得的有关客户端的信息。

B. Nonembedded dynamic operation (BN): The measurement of KPIs is performed at both the network and the client, whereas QoE values are measured inside the network (see part c of Figure 12.8). The quality model uses gathered KPIs, prior knowledge about coding schemes, and information about the client obtained using a customized signaling protocols.

 

C. 非嵌入式分布式操作(CN): KPI 的测量在客户端执行,并且这些测量定期发送到位于网络内部的 QoE/QoS 映射模型(参见图 12.8的 b 部分)。

C. Nonembedded distributed operation (CN): The measurement of KPIs is performed at the client side, and these are sent periodically to the QoE/QoS mapping model located inside the network (see part b of Figure 12.8).

 

D. 嵌入式操作(CC): KPI 和 QoE 的测量在客户端进行。QoS/QoE 映射模型嵌入在客户端内部(参见图 12.8的 d 部分)。测量的QoE度量可以被报告给集中监控实体。

D. Operation embedded (CC): The measurement of KPIs and QoE is performed at the client side. The QoS/QoE mapping model is embedded inside the client (see part d of Figure 12.8). The measured QoE metrics may be reported to a centralized monitoring entity.

 

ETSI 技术规范 TS 103 294(语音和多媒体传输质量 (STQ);体验质量;监控架构,2014)中定义了标准化的多维 QoE 监控解决方案。该解决方案使用部署在相互通信以及与数据采集对象(或探针)通信的设备上的 QoE 代理。QoE-agent 的架构基于 API 的分层定义,可以方便地对影响 QoE 的不同因素进行分组。这六层定义如下:

A standardized multidimensional QoE monitoring solution is defined in ETSI Technical Specification TS 103 294 (Speech and Multimedia Transmission Quality (STQ); Quality of Experience; A Monitoring Architecture, 2014). This solution used QoE agents deployed over devices that communicate with each other and with data-acquisition objects (or probes). The architecture of QoE-agent is based on a layered definition of APIs that enable convenient grouping of different factors that influence QoE. The six layers are defined as follows:

 

图像 资源:由代表用于提供服务的技术系统和网络资源的特征和性能的维度组成。此类因素的示例包括延迟、抖动、丢失、错误率和吞吐量方面的网络 QoS。此外,还包括诸如服务器处理能力和最终用户设备能力(例如计算能力、存储器、屏幕分辨率、用户界面、电池寿命等)的系统资源。

Resource: Composed of dimensions representing the characteristics and performance of the technical system(s) and network resources used to deliver the service. Examples of such factors include network QoS in terms of delay, jitter, loss, error rate, and throughput. Furthermore, system resources such as server processing capabilities and end user device capabilities (e.g. computational power, memory, screen resolution, user interface, battery lifetime, etc.) are included.

 

图像 应用程序:由代表应用程序/服务配置因素的维度组成。此类因素的示例包括媒体编码、分辨率、采样率、帧速率、缓冲区大小、SNR 等。内容相关因素(例如,特定时间或空间要求、2D/3D 内容和颜色深度)也属于此空间。

Application: Composed of dimensions representing application/service configuration factors. Examples of such factors include media encoding, resolution, sample rate, frame rate, buffer sizes, SNR, etc. Content-related factors (e.g., specific temporal or spatial requirements, 2D/3D content, and color depth) also belong to this space.

 

图像 界面:表示用户与应用程序交互的物理设备和界面(设备类型、屏幕尺寸、鼠标等)。

Interface: Represents the physical equipment and interface through which the user is interacting with the application (type of device, screen size, mouse, etc.).

 

图像 环境:与物理环境(例如,地理方面、环境光和噪音、一天中的时间)、使用环境(例如,移动性/无移动性或压力/无压力)以及经济环境(例如,用户正在为服务付费)。

Context: Related to the physical context (e. g. geographical aspects, ambient light and noise, time of the day), the usage context (e.g. mobility/no-mobility or stress/no-stress), and the economic context (e.g. the cost that a user is paying for a service).

 

图像 人类:代表与用户感知特征相关的所有因素(例如对视听刺激的敏感度、对持续时间的感知等)。

Human: Represents all factors related to the perceptual characteristics of users (e.g. sensitivity to audio-visual stimulus, perception of durations, etc.).

 

图像 用户: Human层中未体现的用户因素。这些因素涵盖了人类作为服务或应用程序用户的所有方面(例如,历史和社会特征、动机、期望和专业水平)。

User: Users’ factors that are not represented in the Human layer. These factors encompass all aspects of humans as users of services or applications (e.g., history and social characteristics, motivation, expectation, and level of expertise).

 

使用这些层的 QoE 监控解决方案的优势在于它能够使用定制的 QoS/QoE 映射模型监控任何服务。QoE 代理由图 12.9中所示并在下面的列表中描述的六个主要对象组成。

The strength of the QoE monitoring solution using these layers resides in its ability to monitor any service using customized QoS/QoE mapping models. The QoE agent is composed of the six major objects illustrated in Figure 12.9 and described in the list that follows.

 
图像

图 12.9最大共置 QoE 代理(通用 QoE 代理)

FIGURE 12.9 A Maximum Co-Located QoE Agent (Generic QoE Agent)

 

图像通信对象管理 QoE 代理间的通信

The Communication object manages inter-QoE agent communications.

 

图像数据采集​​对象实现所有数据采集子层。它获取计算给定 QoE/QoS 映射模型的内部参数所需的原子信息。

The Data-Acquisition object implements all data-acquisition sublayers. It acquires atomic information necessary for the calculation of the internal parameters of a given QoE/QoS mapping model.

 

图像Controller对象实现全局QoE/QoS映射模型并处理外部请求和命令,例如获取和设置操作

The Controller object implements global QoE/QoS mapping models and handles external requests and commands, such as get and set operations.

 

图像Layer对象是一个接口对象,它实现了不同的模型层,例如Application模型、Context模型和User模型

The Layer object is an interface object that implements different model layers, such as Application model, Context model, and User model.

 

图像持久数据对象存储所有层的质量参数。

The Persistent-Data object stores the quality parameters for all layers.

 

图像Timer对象用作 QoE 代理的内部时间。

The Timer object is used as the internal time for the QoE agent.

 

QoE 代理必须实现 ARCU 模型的所有层。然而,它们可能分布在许多物理设备上。为此,引入了两种类型的 QoE 代理:

The QoE agent must implement all layers of the ARCU model. However, they may be distributed over many physical devices. To do that, two types of QoE agents are introduced:

 

图像QoE 代理是至少实现用户模型子层的非分布式实体,该子层至少包含用户类型的层对象。它必须实现一个通信对象、一个控制器对象、一个定时器对象和一个持久数据对象。它还必须实现一个数据采集对象(见图12.10)。

A master QoE agent is a nondistributed entity implementing at least the User model sublayer, which contains at least a Layer object of type User. It must implement a Communication object, a Controller object, a Timer object, and a Persistent-Data object. It must also implement a Data-Acquisition object (see Figure 12.10).

 
图像

图 12.10最小主代理(仅具有用户模型)

FIGURE 12.10 A Minimum Master Agent (With Only User Model)

 

图像从属QoE 代理是实现数据采集对象/某些层对象的非分布式实体,但没有用户类型的层对象。它还必须实现一个通信对象、一个控制器对象和一个计时器对象。

A slave QoE Agent is a nondistributed entity implementing a Data-Acquisition object / some Layer object, but no Layer object of type User. It must also implement a Communication object, a Controller object, and a Timer object.

 

最大和最小主 QoE 代理的组件分别如图12.9图 12.10所示。最大主 QoE 代理包括所有 ACRU 层,而最小主 QoE 代理仅实现用户层。图 12.11说明了一个从 QoE 代理,它仅实现除用户层之外的一层 ACRU 模型。

The components of maximum and minimum master QoE agents are, respectively, illustrated in Figure 12.9 and Figure 12.10. The maximum master QoE agent includes all ACRU layers, whereas the minimum master QoE agent implements only the user layer. Figure 12.11 illustrates a slave QoE agent that implements only one layer of ACRU model other than the user layer.

 
图像

图 12.11仅实现一层模型(除了用户层)的从 QoE 代理

FIGURE 12.11 A Slave QoE Agent Implementing Only One Layer Model (Besides the User Layer)

 

数据采集​​模块封装在探测代理中,具体如下:

The data-acquisition module is encapsulated into a probe agent specified as follows:

 

图像 L 类型的探测代理:实现 L 类型数据采集子层且无 Layer 对象的非分布式实体(见图12.12)。它还必须实现一个通信对象、一个控制器对象和一个计时器对象。

A probe agent of type L: A nondistributed entity implementing the data-acquisition sublayer of type L and no Layer objects (see Figure 12.12). It must also implement a Communication object, a Controller object, and a Timer object.

 
图像

图 12.12 L 型探针代理

FIGURE 12.12 A Probe Agent of Type L

 

图像 当类型L的探测代理的类型不相关或者当实体实现多个不同类型的子层时,使用探测代理。它还必须实现一个通信对象、一个控制器对象和一个计时器对象。

A probe agent is used when the type of the probe agent of type L is irrelevant or when the entity implements several sublayers of different types. It must also implement a Communication object, a Controller object, and a Timer object.

 

12.5 基于 QoE 的网络和服务管理

12.5 QoE-Based Network and Service Management

 

在网络和服务管理中可以考虑量化的 QoE 值。这样可以实现最佳权衡,最大限度地提高 QoE 并最大限度地减少资源消耗。主要挑战在于将 QoE 指标转化为一系列行动,以明确增强遇到的 QoE 并减少资源消耗。不幸的是,没有系统的方法来实现这一目标。以下各节描述了许多应用程序,这些应用程序寻求根据测量的 QoE 采取一组操作。

The quantified QoE values may be considered in networks and services management. This enables getting an optimal trade-off that maximizes QoE and minimizes consumption of resources. The major challenge resides in the translation of QoE metrics into a course of actions that definitely enhance encountered QoE and reduce resources consumptions. Unfortunately, there is no systematic approach for reaching such a goal. The following sections describe a number of applications that seek to undertake a set of actions as a function of measured QoE.

 

基于 QoE 的 VoIP 呼叫管理

QoE-Based Management of VoIP Calls

 

基于 QoE 的 IP 语音 (VoIP) 管理已在文献中得到广泛研究。目标是在随时间变化的质量 IP 网络传输的整个分组语音会话期间保持恒定的 QoE 水平。通常,遵循一种基于玻璃盒参数的模型的 QoE 测量探针安装在 VoIP 端点上。它们在运行时收集原子 KPI,这些 KPI 会被转换并作为 QoE/QoS 映射模型的输入。收到新的 QoE 值测量后,QoS 控制器会调整传输路径内的可重新配置的网络参数,例如排队分配和拥塞阈值。一个简单的策略包括:如果 QoE 值小于(大于)目标 QoE 值,则分配更多(相应更少)的网络资源。

The management of Voice over IP (VoIP) based on QoE has been extensively investigated in the literature. The goal is to maintain a constant QoE level during a whole packet voice session transmitted over time-varying quality IP networks. Typically, QoE measurement probes following one glass-box parameter-based model are installed on VoIP endpoints. They collect at run time atomic KPIs, which are transformed and given as inputs to a QoE/QoS mapping model. After a new measure of QoE values is received, a QoS controller adjusts the reconfigurable network parameters within a delivery path, such as queuing allocation and congestion thresholds. A simple policy consists of allocating more (respectively less) network resource if the QoE value is less (greater) than a targeted QoE value.

 

基于 QoE 以主机为中心的垂直切换

QoE-Based Host-Centric Vertical Handover

 

下一代网络上的移动消费者可以同时由多个重叠的异构无线网络提供服务。在这种情况下,移动用户应该选择质量可能较好的接入网络。网络选择/切换过程可以在服务开始时执行,也可以在服务期间执行。当用户由于与消费者和提供商相关的特定原因从一个网络切换到另一个网络时,就会发生网络硬切换。可以通过以网络或主机为中心的方式来管理切换。在传统的以网络为中心的方法中,提供商监控的基础设施通过一组控制算法决定何时需要切换。然而,在以主机为中心的方法中,当服务质量变得不稳定且不令人满意时,端节点可以执行切换。

Mobile consumers over next-generation networks could be served at one moment by several overlapping heterogeneous wireless networks. In such a case, mobile users should choose the access network that will likely achieve good quality. The network selection/switching procedure can be performed either at the start or during the service. An internetwork hard handover occurs when users switch from one network to another because of specific reasons related to both consumers and providers. A handover could be managed in network- or host-centric way. In a traditional network-centric approach, the infrastructure monitored by providers decides when a handover is required through a set of control algorithms. In a host-centric approach, however, end nodes can perform a handover when quality of service becomes unsteady and unsatisfactory.

 

图 12.13说明了一个可能设想的场景,其中客户端可以由 WiMAX 或 Wi-Fi 系统提供服务。应部署和配置适当的设备,例如室外和室内设备、服务器、路由器以及 Wi-Fi 和 WiMAX 接入点,以实现网络切换。在语音通话过程中,客户端可以从 WiMAX 系统切换到 Wi-Fi 系统,反之亦然。

Figure 12.13 illustrates a likely envisaged scenario where the client could be served either by WiMAX or Wi-Fi systems. Appropriate equipment should be deployed and configured, such as outdoor and indoor units, server, router, and Wi-Fi and WiMAX access points to enable network handover. Throughout a vocal call, the client may switch from WiMAX system to Wi-Fi system, and vice versa.

 
图像

图 12.13基于客户端和链路质量的 Wi-Fi 和 WiMAX 网络选择 [MURP007]

FIGURE 12.13 Network Selection Between Wi-Fi and WiMAX Based on Client and Link Quality [MURP007]

 

墨菲等人。认为以主机为中心的网络选择方法更适合支持延迟敏感服务[ MURP07 ]。实际上,在这种情况下,可以根据基于每个服务和每个用户指定的定制要求来执行网络切换。一般而言,对于延迟敏感的服务,可以使用减少/取消服务中断的无缝网络切换网络选择控制器。

Murphy et al. argue that a host-centric network selection approach is more suitable to support delay-sensitive services [MURP07]. Indeed, in such a case, internetwork handover may be performed according to customized requirements specified by on a per-service and per-user basis. In general, for delay-sensitive services, a seamless network switching that reduces/cancels service interruptions network selection controller may be used.

 

为此,可以使用基于消息、多流、多宿主且可靠的流控制传输协议 (SCTP) 传输协议。与 TCP 相比,SCTP 允许向应用程序传送无序数据包,这更适合对延迟敏感的应用程序。SCTP 的多归属功能可实现多个异构重叠无线网络的透明切换。具有指定目的地址和源地址的一条路径充当主路径的角色。其余的充当辅助路径的角色。SCTP 可以在运行时监控所有活动路径上的延迟和抖动,并使它们可供应用程序使用。心跳消息通过辅助路径发送以收集所需的测量结果。使用合适的 QoE/QoS 映射模型将收集的 KPI 映射到 QoE 值。

To do that, it is possible to use message-based, multistreamed, multihomed, and reliable Stream Control Transmission Protocol (SCTP) transport protocol. In contrast to TCP, SCTP allows delivering out-of-order packets to applications, which is more suitable for delay-sensitive applications. The multihoming feature of SCTP enables a transparent handover over several heterogeneous overlapping wireless networks. One path with specified destination and source addresses plays the role of primary path. The remaining ones play the role of secondary paths. SCTP can monitor at run time delay and jitter on all active paths, and makes them available to the application. Heartbeat messages are sent over secondary paths to collect required measurements. The collected KPIs are mapped to QoE values using a suitable QoE/QoS mapping model. The path quality is compared at a regular interval, and the client decides whether a network switch is necessary according to its customized and internal policy.

 

基于QoE的以网络为中心的垂直切换

QoE-Based Network-Centric Vertical Handover

 

本节介绍基于 QoE 的以网络为中心的互联网络切换方案。目标是在重叠的 WLAN 和 GSM 网络之间执行切换。这样一方面可以相对利用WLAN的高容量,另一方面可以减少GSM网络的负载和成本。图 12.14显示了移动用户使用 WLAN 作为最后一个无线跃点向固定电话 PSTN 用户发起语音呼叫的场景。接下来,当语音呼叫的 QoE 由于移动性或拥塞而低于给定的临界阈值时,将执行切换。在这种情况下,移动用户使用 GSM 基础设施链接到固定电话用户。免提终端配备两个无线卡接口,可连接WLAN和GSM网络。移动终端向 PBX 发送足够的“质量报告”,PBX 分析收到的反馈。一旦检测到分数不满足,PBX指示移动终端进行切换。为了无缝地做到这一点,使用 GSM 基础设施在移动终端和 PBX 之间打开语音通道,PBX 负责将接收到的语音信息转发给固定用户。

This section covers a QoE-based network-centric internetwork handover scheme. The goal is to perform a handover between overlapping WLAN and GSM networks. This allows, on one hand, relatively exploiting the high capacity of a WLAN, and on the other hand, reducing the GSM network load and cost. Figure 12.14 shows a scenario where a mobile subscriber initiates a voice call to a landline PSTN subscriber using a WLAN as a last-wireless hop. Next, when the QoE of the voice call goes below a given critical threshold because of mobility or congestion, a handover is performed. In such a case, the mobile subscriber is linked to the landline subscriber using the GSM infrastructure. The hands-free terminal is equipped with two wireless card interfaces to allow connection to WLAN and GSM networks. The mobile terminal sends adequate “quality reports” to a PBX that analyzes received feedbacks. Once an unsatisfied score is detected, the PBX instructs the mobile terminal to perform a handover. To do that seamlessly, a voice channel is opened using GSM infrastructure between the mobile terminal and PBX, which is responsible to relay received voice information toward the fixed subscriber.

 
图像

图 12.14 WLAN 和 GSM 网络之间的切换场景 [MAES06]

FIGURE 12.14 Handover Scenario Between WLAN and GSM Networks [MAES06]

 

根据 Marsh 等人的报告,使用安装在专用交换机 (PBX) 上的以下简化的附加质量模型来控制切换。[火星06 ]:

The handovers are controlled using the following simplified additive quality models, installed at the private branch exchange (PBX), as reported by Marsh et al. [MARS06]:

 
图像

其中,切换分数从 –100 到 100 不等。其余变量定义如下:

where, the handover scores vary from –100 to 100. The remaining variables are defined as follows:

 

图像 接收信号强度指标:信噪比是服务质量的良好指标,尤其是在无线电信网络上。该度量可能导致对无线数据网络质量的不准确估计。事实上,在无线电信网络中,高信号强度表明用户可能维持良好的 QoE。该规则在无线数据网络上是不准确的,在无线数据网络中,尽管测量到的信号强度很高,但由于拥塞引起的数据包丢失等原因,QoE 可能很差。移动终端定期记录接收到的信号强度。获得的值根据作者定义的切换分数进行缩放。具体来说,测量的接收信号强度被映射到从0到+90变化的值。

Received signal strength indicator: The signal-to-noise ratio is a good indicator about quality of service, especially over wireless Telecom networks. This metric may entail inaccurate estimates about quality over wireless data networks. In fact, over wireless telecom networks, high signal strength indicates that users sustain potentially a good QoE. This rule is inaccurate over wireless data networks where QoE could be poor in spite of high measured signal strength because of, for example, congestion-induced packet losses. The mobile terminal periodically records the received signal strength. The obtained value is scaled according to handover score defined by authors. Specifically, the measured received signal strengths are mapped to values varying from 0 to +90.

 

图像 延迟抖动:延迟抖动增加是质量较差的良好指标。根据初步的实证研究,良好的抖动条件和可忽略不计的抖动条件分别得分为+10 和0。–10 和 –20 分分别分配给较差和非常差的抖动条件。

Delay jitter: An increasing delay jitter is a good indicator of poor quality. According to a preliminary empirical study, a score of +10 and 0 is assigned to good and negligible jitter conditions, respectively. A score of –10 and –20 is assigned to poor and very poor jitter conditions, respectively.

 

图像 丢包:丢包率高表明用户所承受的质量无疑很差。遇到的数据包丢失率的分数递减步长为 –10,递增步长为 8%。通过适当增加丢包的影响来解决较长的不良周期。

Packet loss: High packet loss rate indicates that users sustain undoubtedly a very poor quality. A decreasing score step of –10 is assigned to encountered packet loss ratio with an increasing step of 8 percent. A long bad period is accounted for by increasing properly the contribution of packet loss.

 

图像 RTCP丢失:当监测节点没有收到RTCP质量报告时,移动终端可能会出现接收问题。RTCP 反馈的三个或更多连续丢失通常对于大幅降低总体切换分数而言非常重要。为每个连续丢失的 RTCP 报告分配一个递减的分数步长 –10。

RTCP losses: The mobile terminal will likely sustain reception problems when the monitoring node does not receive RTCP quality reports. Three or more consecutive losses of RTCP feedback are generally quite significant to reduce aggressively the overall handover score. A decreasing score step of –10 is assigned to each consecutively lost RTCP report.

 

较大的正分数表示良好的 QoE。移动用户可以指定可接受的较低阈值分数。因此,仅当计算的切换分数低于定义的阈值时才执行切换。增大阈值会导致平均质量的提高,但代价是更高的通信成本,因为系统会更早地将语音会话切换到GSM系统。相反,降低阈值会导致通信成本降低,但代价是质量下降的时间较长。

A large positive score indicates a good QoE. The mobile users are allowed to specify the lower acceptable threshold score. As a consequence, a handover is performed only when the calculated handover score falls below the defined threshold. An increasing threshold results in the improvement of average quality at the expense of a higher communication cost, because the system will switch the voice session to GSM system earlier. Conversely, a decreasing threshold results in the reduction of communication cost at the expense of longer periods of degraded quality.

 

12.6 关键术语

12.6 Key Terms

 

完成本章后,您应该能够定义以下术语。

After completing this chapter, you should be able to define the following terms.

 

QoE/QoS 模型映射

QoE/QoS model mapping

 

黑盒映射模型

black-box mapping model

 

玻璃盒映射模型

glass-box mapping model

 

灰盒映射模型

gray-box mapping model

 

QoE 感知服务

QoE-aware services

 

基于 QoE 的监控

QoE-based monitoring

 

基于 QoE 的管理

QoE-based management

 

12.7 参考文献

12.7 References

 

HOSS13 Hossfeld,T. 等人。“YouTube 中的互联网视频传输:从流量测量到体验质量。” 书籍《数据流量监控和分析:从测量、分类和异常检测到体验质量》章节,计算机科学讲义,第 7754 卷,2013 年。

HOSS13: Hossfeld, T., et al. “Internet Video Delivery in YouTube: From Traffic Measurements to Quality of Experience.” Book chapter in Data Traffic Monitoring and Analysis: From Measurement, Classification, and Anomaly Detection to Quality of Experience, Lecture Notes in Computer Science, Volume 7754, 2013.

 

KETY10 Ketyko, I.、De Moor, K.、Joseph, W. 和 Martens, L.“在实际 3G 网络中执行 QoE 测量”,IEEE 国际宽带多媒体系统和广播研讨会,2010 年 3 月。

KETY10: Ketyko, I., De Moor, K., Joseph, W., and Martens, L. “Performing QoE-Measurements in an Actual 3G Network,” IEEE International Symposium on Broadband Multimedia Systems and Broadcasting, March 2010.

 

KHAN09 Khan, A.、Sun, L. 和 Ifeachor, E。“无线网络上 MPEG4 视频流的基于内容聚类的视频质量预测模型”, IEEE 国际通信会议,2009 年。

KHAN09: Khan, A., Sun, L., and Ifeachor, E. “Content Clustering Based Video Quality Prediction Model for MPEG4 Video Streaming over Wireless Networks,” IEEE International Conference on Communications, 2009.

 

KIM14 Kim, H. 和 Choi, S。“使用 QoS 参数的多媒体流服务的 QoE 评估模型”,多媒体工具和应用程序,2014 年 10 月。

KIM14: Kim, H., and Choi, S. “QoE Assessment Model for Multimedia Streaming Services Using QoS Parameters,” Multimedia Tools and Applications, October 2014.

 

KUIP10 Kuipers,F. 等人。“体验质量测量技术”,第八届有线/无线互联网通信国际会议,2010 年。

KUIP10: Kuipers, F. et al. “Techniques for Measuring Quality of Experience,” 8th International Conference on Wired/Wireless Internet Communications, 2010.

 

MA14 Ma, H.、Seo, B. 和 Zimmermann, R。“云环境中 MPEG DASH 视频转码的动态调度”,第五届 ACM 多媒体系统会议论文集,2014 年 3 月。

MA14: Ma, H., Seo, B., and Zimmermann, R. “Dynamic Scheduling on Video Transcoding for MPEG DASH in the Cloud Environment,” Proceedings of the 5th ACM Multimedia Systems Conference, March 2014.

 

MARS06 Marsh, I.、Grönvall, B. 和 Hammer, F.“基于质量的切换触发器的设计和实现”,第五届国际 IFIP-TC6 网络会议,葡萄牙科英布拉。

MARS06: Marsh, I., Grönvall, B., and Hammer, F. “The Design and Implementation of a Quality-Based Handover Trigger,” 5th International IFIP-TC6 Networking Conference, Coimbra, Portugal.

 

MURP07墨菲,L. 等人。“基于应用程序质量的移动性管理方案”,第九届 IFIP/IEEE 移动和无线通信网络国际会议论文集,2007 年。

MURP07: Murphy, L. et al. “An Application-Quality-Based Mobility Management Scheme,” Proceedings of 9th IFIP/IEEE International Conference on Mobile and Wireless Communications Networks, 2007.

 

第五部分:现代网络架构:云与雾

Part V: Modern Network Architecture: Clouds and Fog

 

我们讨论了一种新的大型通信系统,它在概念和设备上都与现有系统明显不同,并且意味着计算机和通信两种不同技术的融合。

We have discussed a new large communication system, one markedly different from the present in both concept and equipment, and one which will mean a merging of two different technologies: computers and communications.

 

—论分布式通信:摘要概述,Rand 报告 RM-3767-PR,Paul Baran,1964 年 8 月

—On Distributed Communication: Summary Overview, Rand Report RM-3767-PR, Paul Baran, August 1964

 

第 13 章:云计算

CHAPTER 13: Cloud Computing

 

第 14 章:物联网:组件

CHAPTER 14: The Internet of Things: Components

 

第 15 章:物联网:架构和实施

CHAPTER 15: The Internet of Things: Architecture and Implementation

 

两种占主导地位的现代网络架构是云计算和物联网 (IoT),有时也称为雾计算。前面几节讨论的技术和应用都为云计算和物联网提供了基础。第13章是对云计算的概述。本章首先定义基本概念,然后介绍云服务、部署模型和架构。然后本章讨论了云计算与软件定义网络(SDN)和网络功能虚拟化(NFV)之间的关系。第 14 章和第 15 章详细介绍了物联网,第 14 章介绍了支持物联网的事物的主要组件,而第 15 章探讨了物联网参考架构并介绍了三个实施示例。

The two dominant modern network architectures are cloud computing and the Internet of Things (IoT), sometimes referred to as fog computing. The technologies and applications discussed in the preceding sections all provide a foundation for cloud computing and IoT. Chapter 13 is a survey of cloud computing. The chapter begins with a definition of basic concepts, and then covers cloud services, deployment models, and architecture. The chapter then discusses the relationship between cloud computing and software-defined networking (SDN) and network functions virtualization (NFV). Chapter 14 and Chapter 15 provide a detailed look at IoT, with Chapter 14 providing coverage of the principal components of IoT-enabled things, while Chapter 15 examines IoT reference architectures and looks at three implementation examples.

 

第 13 章云计算

Chapter 13. Cloud Computing

 

人们现在可以想象一位未来的调查员在他的实验室里。他的双手是自由的,他没有被固定。当他四处走动和观察时,他会拍照和评论。时间会自动记录,将两个记录联系在一起。如果他进入现场,他可以通过无线电连接到他的录音机。晚上,当他思考笔记时,他再次将自己的评论记录下来。他的打字记录和他的照片都可能是微型的,以便他将它们投影以供检查。

One can now picture a future investigator in his laboratory. His hands are free, and he is not anchored. As he moves about and observes, he photographs and comments. Time is automatically recorded to tie the two records together. If he goes into the field, he may be connected by radio to his recorder. As he ponders over his notes in the evening, he again talks his comments into the record. His typed record, as well as his photographs, may both be in miniature, so that he projects them for examination.

 

——“正如我们所想的那样”,万尼瓦尔·布什,《大西洋月刊》,1945 年 7 月

—“As We May Think,” Vannevar Bush, The Atlantic, July 1945

 

本章目标 学习完本章后,您应该能够

 

图像概述云计算概念。

 

图像列出并定义主要云服务。

 

图像列出并定义云部署模型。

 

图像比较和对比 NIST 和 ITU-T 云计算参考架构。

 

图像讨论 SDN 和 NFV 与云计算的相关性。

 

Chapter Objectives: After studying this chapter, you should be able to

 

Present an overview of cloud computing concepts.

 

List and define the principal cloud services.

 

List and define the cloud deployment models.

 

Compare and contrast the NIST and ITU-T cloud computing reference architectures.

 

Discuss the relevance of SDN and NFV to cloud computing.

 
 

第 1.6 节简要概述了云计算的概念,第 2.2 节讨论了云计算对网络产生的要求。本章首先更详细地介绍云计算的基本概念。接下来讨论云提供商通常提供的主要服务类型。然后本章介绍了云系统的各种部署模型,然后检查了分别由 NIST 和 ITU-T 开发的两种云计算参考架构。对这两种不同模型的考虑可以深入了解云计算的本质。最后,本章讨论了SDN和NFV如何支持云计算的部署和运营。

Section 1.6 provided a brief overview of the concept of cloud computing, and Section 2.2 included a discussion of the requirements that cloud computing generates with respect to networking. This chapter begins with a more detailed look at the basic concepts of cloud computing. Next is a discussion of the principal types of services typically offered by cloud providers. The chapter then looks at various deployment models for cloud systems, followed by an examination of two cloud computing reference architectures, developed by NIST and ITU-T, respectively. A consideration of these two different models provides insight into the nature of cloud computing. Finally, the chapter discusses how SDN and NFV can support cloud computing deployment and operation.

 

13.1 基本概念

13.1 Basic Concepts

 

在许多组织中,越来越明显的趋势是将大部分甚至全部信息技术 (IT) 运营转移到与互联网连接的基础设施(称为企业云计算)。与此同时,PC和移动设备的个人用户越来越依赖云计算服务来备份数据、同步设备和共享。NIST 在 NIST SP-800-145 《NIST 云计算定义》中定义了云计算,如下:

There is an increasingly prominent trend in many organizations to move a substantial portion or even all information technology (IT) operations to an Internet-connected infrastructure known as enterprise cloud computing. At the same time, individual users of PCs and mobile devices are relying more and more on cloud computing services to backup data, synch devices, and share. NIST defines cloud computing, in NIST SP-800-145, The NIST Definition of Cloud Computing, as follows:

 

图像 请参阅第 1.6 节云计算

See Section 1.6, “Cloud Computing

 

云计算:一种模型,用于实现对可配置计算资源(例如网络、服务器、存储、应用程序和服务)共享池的普遍、便捷、按需网络访问,这些资源可以通过最少的管理工作快速配置和发布或服务提供商交互。该云模型提高了可用性,由五个基本特征、三个服务模型和四个部署模型组成。

Cloud computing: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (for example, networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.

 

图像 参见图 1.7,云计算环境

See Figure 1.7, Cloud Computing Context

 

该定义涉及各种模型和特征,其关系如图13.1所示。第 1 章现代网络的要素”中讨论了这五个基本特征。本章涵盖三种服务模型和四种部署模型。

The definition refers to various models and characteristics, whose relationship is illustrated in Figure 13.1. The five essential characteristics were discussed in Chapter 1, “Elements of Modern Networking.” This chapter covers the three service models and the four deployment models.

 
图像

图 13.1云计算元素

FIGURE 13.1 Cloud Computing Elements

 

图像 请参阅第 2.2 节需求:大数据、云计算和移动流量

See Section 2.2, “Demand: Big Data, Cloud Computing, and Mobile Traffic

 

基本上,云计算提供了规模经济、专业的网络管理和专业的安全管理。这些功能对于大大小小的公司、政府机构以及个人电脑和移动用户都很有吸引力。个人或公司只需为他们使用的存储容量和服务付费。用户,无论是公司还是个人,都无需费心去搭建数据库系统、获取所需的硬件、进行维护、备份数据——所有这些都是云服务的一部分。

Basically, cloud computing provides economies of scale, professional network management, and professional security management. These features can be attractive to companies large and small, government agencies, and individual PC and mobile users. The individual or company only needs to pay for the storage capacity and services they use. The user, be it company or individual, does not have the hassle of setting up a database system, acquiring the hardware they need, doing maintenance, and backing up the data—all these are part of the cloud service.

 

图像 参见图 2.4,云网络模型

See Figure 2.4, Cloud Network Model

 

从理论上讲,使用云计算存储数据并与其他人共享数据的另一大优势是云提供商负责安全性。可惜的是,客户并不总是受到保护。云提供商之间存在许多安全故障。Evernote 在 2013 年初成为头条新闻,当时它要求所有用户在发现入侵后重置密码。

In theory, another big advantage of using cloud computing to store your data and share it with others is that the cloud provider takes care of security. Alas, the customer is not always protected. There have been a number of security failures among cloud providers. Evernote made headlines in early 2013 when it told all of its users to reset their passwords after an intrusion was discovered.

 

云网络是指启用云计算必须具备的网络和网络管理功能。大多数云计算解决方案都依赖于互联网,但这只是网络基础设施的一部分。云网络的一个例子是在提供商和订户之间提供高性能/高可靠性网络。在这种情况下,企业和云之间的部分或全部流量绕过互联网,并使用云服务提供商拥有或租赁的专用专用网络设施。更一般地说,云网络是指访问云所需的网络功能的集合,包括利用互联网上的专业服务、将企业数据中心连接到云、

Cloud networking refers to the networks and network management functionality that must be in place to enable cloud computing. Most cloud computing solutions rely on the Internet, but that is only a piece of the networking infrastructure. One example of cloud networking is the provisioning of high-performance/high-reliability networking between the provider and subscriber. In this case, some or all of the traffic between an enterprise and the cloud bypasses the Internet and uses dedicated private network facilities owned or leased by the cloud service provider. More generally, cloud networking refers to the collection of network capabilities required to access a cloud, including making use of specialized services over the Internet, linking enterprise data centers to a cloud, and using firewalls and other network security devices at critical points to enforce access security policies.

 

我们可以将云存储视为云计算的一个子集。本质上,云存储由数据库存储和远程托管在云服务器上的数据库应用程序组成。云存储使小型企业和个人用户能够利用可根据其需求扩展的数据存储,并利用各种数据库应用程序,而无需购买、维护和管理存储资产。

We can think of cloud storage as a subset of cloud computing. In essence, cloud storage consists of database storage and database applications hosted remotely on cloud servers. Cloud storage enables small businesses and individual users to take advantage of data storage that scales with their needs and to take advantage of a variety of database applications without having to buy, maintain, and manage the storage assets.

 

13.2 云服务

13.2 Cloud Services

 

本节着眼于常见定义的云服务,首先是 NIST 定义的三个服务模型:

This section looks at commonly defined cloud services, beginning with three service models defined by NIST:

 

图像软件即服务 (SaaS)

Software as a Service (SaaS)

 

图像平台即服务 (PaaS)

Platform as a Service (PaaS)

 

图像基础设施即服务 (IaaS)

Infrastructure as a Service (IaaS)

 

这些可以被视为嵌套服务替代方案(参见图 13.2),并且被普遍接受为云计算的基本服务模型。然后本节将研究其他流行的云服务模型。

These can be viewed as nested service alternatives (see Figure 13.2) and are universally accepted as the basic service models for cloud computing. The section then examines other popular cloud service models.

 
图像

图 13.2云服务模型

FIGURE 13.2 Cloud Service Models

 

软件作为服务

Software as a Service

 

顾名思义,SaaS云以软件的形式为客户提供服务,特别是在云中运行并可访问的应用软件。SaaS 遵循熟悉的 Web 服务模型,在本例中应用于云资源。SaaS 使客户能够使用在提供商的云基础设施上运行的云提供商的应用程序。这些应用程序可以通过简单的界面(例如网络浏览器)从各种客户端设备访问。企业无需为其使用的软件产品获取桌面和服务器许可证,而是从云服务中获取相同的功能。使用SaaS避免了软件安装、维护、升级、打补丁的复杂性。此级别的服务示例包括 Google Gmail、Microsoft 365、Salesforce、Citrix GoToMeeting 和 Cisco WebEx。

As the name implies, an SaaS cloud provides service to customers in the form of software, specifically application software running on and accessible in the cloud. SaaS follows the familiar model of web services, in this case applied to cloud resources. SaaS enables the customer to use the cloud provider’s applications running on the provider’s cloud infrastructure. The applications are accessible from various client devices through a simple interface such as a web browser. Instead of obtaining desktop and server licenses for software products it uses, an enterprise obtains the same functions from the cloud service. The use of SaaS avoids the complexity of software installation, maintenance, upgrades, and patches. Examples of services at this level are Google Gmail, Microsoft 365, Salesforce, Citrix GoToMeeting, and Cisco WebEx.

 

SaaS 的常见订阅者是希望为其员工提供典型办公生产力软件(例如文档管理和电子邮件)访问权限的组织。个人也普遍采用SaaS模式获取云资源。通常,订阅者根据需要使用特定的应用程序。云提供商通常还提供与数据相关的功能,例如自动备份和订阅者之间的数据共享。

Common subscribers to SaaS are organizations that want to provide their employees with access to typical office productivity software, such as document management and e-mail. Individuals also commonly use the SaaS model to acquire cloud resources. Typically, subscribers use specific applications on demand. The cloud provider also usually offers data-related features such as automatic backup and data sharing between subscribers.

 

以下列表源自 OpenCrowd ( http://cloudtaxonomy.opencrowd.com/taxonomy ) 正在进行的行业调查,描述了示例 SaaS 服务。括号中的数字指的是当前提供每项服务的供应商数量。

The following list, derived from an ongoing industry survey by OpenCrowd (http://cloudtaxonomy.opencrowd.com/taxonomy), describes example SaaS services. The numbers in parentheses refer to the number of vendors currently offering each service.

 
图像

云分类法

Cloud Taxonomy

 

图像 计费(3) 根据产品和服务的使用情况和订阅来管理客户计费的应用程序服务。

Billing (3): Application services to manage customer billing based on usage and subscriptions to products and services.

 

图像 协作(18) 提供允许用户在工作组、企业内部和企业间协作的工具的平台。

Collaboration (18): Platforms providing tools that allow users to collaborate in workgroups, within enterprises, and across enterprises.

 

图像 内容管理(7) 用于管理基于 Web 应用程序的内容制作和访问的服务。

Content management (7): Services for managing the production and access to content for Web-based applications.

 

图像 客户关系管理(13) CRM 应用程序平台,范围从呼叫中心应用程序到销售人员自动化。

Customer relationship management (13): Platforms for CRM application that range from call center applications to sales force automation.

 

图像 文档管理(6)管理文档、文档制作工作流程以及为团体或企业查找和访问文档提供工作空间的平台。

Document management (6): Platforms of managing documents, document production workflows, and providing workspaces for groups or enterprises to find and access documents.

 

图像 教育(4) 为教育工作者和教育机构提供在线服务。

Education (4): Provides online services to Educators and Educational institutions.

 

图像 企业资源计划(8) ERP是一个基于计算机的集成系统,用于管理内部和外部资源,包括有形资产、财务资源、材料和人力资源。

Enterprise resource planning (8): ERP is an integrated computer-based system used to manage internal and external resources, including tangible assets, financial resources, materials, and human resources.

 

图像 财务(11) 用于管理公司财务流程的应用程序,范围从费用处理和发票到税务管理。

Financials (11): Applications for managing financial processes for companies that range from expense processing and invoicing to tax management.

 

图像 医疗保健(10)改善和管理人们的健康和医疗保健管理的服务。

Healthcare (10): Services for improving and managing people’s health and healthcare management.

 

图像 人力资源(10) 用于管理公司内部人力资源职能的软件。

Human resources (10): Software for managing human resources functions within companies.

 

图像 IT 服务管理(5) 帮助企业管理向服务消费者提供 IT 服务并管理绩效改进的软件。

IT services management (5): Software that helps enterprises manage IT services delivery to services consumers and manage performance improvement.

 

图像 个人生产力(5) 企业用户在正常业务过程中每天使用的软件。典型的套件包括文字处理、电子表格和演示文稿的应用程序。

Personal productivity (5): Software that business users use on a daily basis in the normal course of business. The typical suite includes applications for word processing, spreadsheets, and presentations.

 

图像 项目管理(12) 用于管理项目的软件包。软件包的功能可以专门针对特定类型的项目(例如软件开发、构建等)提供。

Project management (12): Software packages for managing projects. Features of packages may specialize the offering for specific types of projects such as software development, construction, and so on.

 

图像 销售(7) 专门为销售功能(例如定价、佣金跟踪等)设计的应用程序。

Sales (7): Applications that are specifically designed for sales functions such as pricing, commission tracking, and so on.

 

图像 安全(10) 用于安全服务的托管产品,例如恶意软件和病毒扫描、单点登录等。

Security (10): Hosted products for security services such as malware and virus scanning, single sign-on, and so on.

 

图像 社交网络(4) 用于创建和定制社交网络应用程序的平台。

Social networks (4): Platforms for creating and customizing social networking applications.

 

平台即服务

Platform as a Service

 

PaaS云以可以运行客户应用程序的平台的形式向客户提供服务PaaS 使客户能够将客户创建或获取的应用程序部署到云基础设施上。PaaS 云提供有用的软件构建块,以及许多开发工具,例如编程语言工具、运行时环境和其他有助于部署新应用程序的工具。实际上,PaaS 是云中的操作系统。PaaS 对于想要开发新的或定制的应用程序,同时仅根据需要且仅在需要的时间内支付所需计算资源费用的组织非常有用。AppEngine、Engine Yard、Heroku、Microsoft Azure、Force.com和 Apache Stratos 是 PaaS 的示例。

A PaaS cloud provides service to customers in the form of a platform on which the customer’s applications can run. PaaS enables the customer to deploy onto the cloud infrastructure customer-created or -acquired applications. A PaaS cloud provides useful software building blocks, plus a number of development tools, such as programming language tools, runtime environments, and other tools that assist in deploying new applications. In effect, PaaS is an operating system in the cloud. PaaS is useful for an organization that wants to develop new or tailored applications while paying for the needed computing resources only as needed and only for as long as needed. AppEngine, Engine Yard, Heroku, Microsoft Azure, Force.com, and Apache Stratos are examples of PaaS.

 

以下列表描述了示例 PaaS 服务。括号中的数字指的是当前提供每项服务的供应商数量:

The following list describes example PaaS services. The numbers in parentheses refer to the number of vendors currently offering each service:

 

图像 大数据即服务(19) 这些是基于云的服务,用于分析需要高可扩展性的大型或复杂数据集。

Big data as a service (19): These are cloud-based services for the analysis of large or complex data sets that require high scalability.

 

图像 商业智能(18) 用于创建商业智能应用程序(例如仪表板、报告系统和大数据分析)的平台。

Business intelligence (18): Platforms for the creation of business intelligence applications such as dashboards, reporting systems, and big data analysis.

 

图像 数据库(18) 这些服务提供可扩展的数据库系统,范围从关系数据库解决方案到大规模可扩展的非 SQL 数据存储。

Database (18): These services offer scalable database systems ranging from relational database solutions to massively scalable non-SQL datastores.

 

图像 开发和测试(18)这些平台仅用于应用程序开发的开发和测试周期,根据需要进行扩展和收缩。

Development and testing (18) : These platforms are only for the development and testing cycles of application development, which expand and contract as needed.

 

图像 通用(22) 适合通用应用程序开发的平台。这些服务提供数据库、Web 应用程序运行时环境,并且通常支持 Web 服务集成。

General purpose (22): Platforms suited for general-purpose application development. These services provide a database, a web application runtime environment, and typically support web services for integration.

 

图像 集成(14) 用于集成应用程序的服务,范围从云到云集成到自定义应用程序集成。

Integration (14): Services for integrating applications ranging from cloud-to-cloud integration to custom application integration.

 

基础设施即服务

Infrastructure as a Service

 

通过IaaS,客户可以访问底层云基础设施的资源。IaaS 提供虚拟机和其他抽象硬件和操作系统。IaaS 为客户提供处理、存储、网络和其他基本计算资源,以便客户可以部署和运行任意软件,其中可以包括操作系统和应用程序。IaaS 使客户能够结合基本计算服务(例如数字处理和数据存储)来构建高度适应性的计算机系统。

With IaaS, the customer has access to the resources of the underlying cloud infrastructure. IaaS provides virtual machines and other abstracted hardware and operating systems. IaaS offers the customer processing, storage, networks, and other fundamental computing resources so that the customer can deploy and run arbitrary software, which can include operating systems and applications. IaaS enables customers to combine basic computing services, such as number crunching and data storage, to build highly adaptable computer systems.

 

通常,客户能够使用基于 Web 的图形用户界面自行配置此基础设施,该界面充当整个环境的 IT 运营管理控制台。还可以选择提供对基础设施的 API 访问。IaaS 的示例包括 Amazon Elastic Compute Cloud (Amazon EC2)、Microsoft Windows Azure、Google Compute Engine (GCE) 和 Rackspace。

Typically, customers are able to self-provision this infrastructure, using a web-based graphical user interface that serves as an IT operations management console for the overall environment. API access to the infrastructure may also be offered as an option. Examples of IaaS are Amazon Elastic Compute Cloud (Amazon EC2), Microsoft Windows Azure, Google Compute Engine (GCE), and Rackspace.

 

以下列表描述了示例 IaaS 服务。括号中的数字指的是当前提供每项服务的供应商数量:

The following list describes example IaaS services. The numbers in parentheses refer to the number of vendors currently offering each service:

 

图像 备份和恢复(14) 提供备份和恢复服务器和桌面系统上的文件系统和原始数据存储服务的平台。

Backup and recovery (14): Platforms providing services to backup and recover file systems and raw data stores on servers and desktop systems.

 

图像 云代理(7) 管理多个云基础设施平台上的服务的工具。一些工具支持私有-公共云配置。

Cloud broker (7): Tools that manage services on more than one cloud infrastructure platform. Some tools support private-public cloud configurations.

 

图像 计算(31) 为运行基于云的系统提供服务器资源,可以根据需要动态供应和配置。

Compute (31): Provides server resources for running cloud-based systems that can be dynamically provisioned and configured as needed.

 

图像 内容交付网络(2) CDN 存储内容和文件,以提高基于 Web 的系统交付内容的性能和成本。

Content delivery networks (2): CDNs store content and files to improve the performance and cost of delivering content for web based systems.

 

图像 服务管理(7)管理云基础设施平台的服务。这些工具通常提供云提供商不提供的功能或专门管理某些应用程序技术。

Services management (7): Services that manage cloud infrastructure platforms. These tools often provide features that cloud providers do not provide or specialize in managing certain application technologies.

 

图像 存储(12) 提供大规模可扩展的存储容量,可用于应用程序、备份、归档、文件存储等。

Storage (12): Provides massively scalable storage capacity that can be used for applications, backups, archiving, file storage, and more.

 

图 13.3比较了云服务提供商为三种主要云服务模型实现的功能。

Figure 13.3 compares the functions implemented by the cloud service provider for the three principal cloud service models.

 
图像

图 13.3云运营中的职责分离

FIGURE 13.3 Separation of Responsibilities in Cloud Operation

 

其他云服务

Other Cloud Services

 

人们还提出了许多其他云服务,其中一些可以作为供应商产品提供。ITU-T Y.3500(云计算 — 概述和词汇,2014 年 8 月)提供了这些附加服务的有用列表。

A number of other cloud services have been proposed, with some available as vendor offerings. A useful list of these additional services is provided by ITU-T Y.3500 (Cloud Computing — Overview and Vocabulary, August 2014).

 

除了 SaaS、PaaS 和 IaaS 之外,Y.3500 还列出了以下代表云服务类别:

In addition to SaaS, PaaS, and IaaS, Y.3500 lists the following as representative cloud service categories:

 

图像 通信即服务 (CaaS)集成实时交互和协作服务以优化业务流程。这项服务跨多个设备提供统一的界面和一致的用户体验。所包含的服务示例包括视频电话会议、网络会议、即时消息传递和 IP 语音。

Communications as a Service (CaaS): The integration of real-time interaction and collaboration services to optimize business processes. This service provides a unified interface and consistent user experience across multiple devices. Examples of services included are video teleconferencing, web conferencing, instant messaging, and voice over IP.

 

图像 计算即服务 (CompaaS):提供和使用部署和运行软件所需的处理资源。CompaaS 可以被认为是简化的 IaaS,重点是提供计算能力。

Compute as a Service (CompaaS): The provision and use of processing resources needed to deploy and run software. CompaaS may be thought of as a simplified IaaS, with the focus on providing compute capacity.

 

图像 数据存储即服务 (DSaaS):数据存储及相关功能的提供和使用。DSaaS 描述了一种存储模型,其中客户从第三方提供商租赁存储空间。数据通过互联网从客户端传输到服务提供商,然后客户端使用存储提供商提供的软件访问存储的数据。该软件用于执行与存储相关的常见任务,例如数据备份和数据传输。

Data Storage as a Service (DSaaS): The provision and use of data storage and related capabilities. DSaaS describes a storage model where the client leases storage space from a third-party provider. Data is transferred from the client to the service provider via the Internet, and the client then accesses the stored data using software provided by the storage provider. The software is used to perform common tasks related to storage, such as data backups and data transfers.

 

图像 网络即服务 (NaaS)传输连接服务/云间网络连接服务。NaaS涉及将网络和计算资源视为一个统一的整体来优化资源分配。NaaS 可以包括灵活且扩展的虚拟专用网络 (VPN)、按需带宽、自定义路由、多播协议、安全防火墙、入侵检测和预防、广域网 (WAN)、内容监控和过滤以及防病毒。

Network as a Service (NaaS): Transport connectivity services / intercloud network connectivity services. NaaS involves the optimization of resource allocations by considering network and computing resources as a unified whole. NaaS can include flexible and extended virtual private network (VPN), bandwidth on demand, custom routing, multicast protocols, security firewall, intrusion detection and prevention, wide-area network (WAN), content monitoring and filtering, and antivirus.

 

Y.3500区分了云能力和云服务。这三种能力类型分别是应用、平台、基础设施,分别对应SaaS、PaaS、IaaS等基础服务类型。云服务类别可以包括来自一种或多种云能力类型的能力。表 13.1显示了七种云服务类别和三种云能力类型的关系。

Y.3500 distinguishes between cloud capabilities and cloud services. The three capabilities types are application, platform, and infrastructure, corresponding to the basic service types of SaaS, PaaS, and IaaS. A cloud service category can include capabilities from one or more cloud capability types. Table 13.1 shows the relationship of the seven cloud service categories and the three cloud capabilities types.

 
图像

表 13.1云服务类别和云功能类型

TABLE 13.1 Cloud Service Categories and Cloud Capabilities Types

 

Y.3500 还列出了新兴云服务类别的示例:

Y.3500 also lists examples of emerging cloud service categories:

 

图像 数据库即服务:按需提供数据库功能,其中数据库的安装和维护由云服务提供商执行。

Database as a Service: Database functionalities on demand where the installation and maintenance of the databases are performed by the cloud service provider.

 

图像 桌面即服务:远程构建、配置、管理、存储、执行和交付用户桌面功能的能力。从本质上讲,桌面即服务将常见的桌面应用程序以及数据从用户的台式机或笔记本电脑卸载到云中。旨在为程序、应用程序、进程和文件的远程使用提供可靠、一致的体验。

Desktop as a Service: The ability to build, configure, manage, store, execute, and deliver user desktop functions remotely. In essence, Desktop as a Service offloads common desktop apps plus data from the user’s desktop or laptop computer into the cloud. Designed to provide a reliable, consistent experience for the remote use of programs, applications, processes, and files.

 

图像 电子邮件即服务:完整的电子邮件服务,包括电子邮件的存储、接收、传输、备份和恢复等相关支持服务。

E-mail as a Service: A complete e-mail service, including related support services such as storage, receipt, transmission, backup, and recovery of e-mail.

 

图像 身份即服务:可以扩展并集中到现有操作环境中的身份和访问管理 (IAM)。这包括配置、目录管理和单点登录服务的操作。

Identity as a Service: Identity and access management (IAM) that can be extended and centralized into existing operating environments. This includes provisioning, directory management, and the operation of a single sign-on service.

 

图像 管理即服务:包括应用程序管理、资产和变更管理、容量管理、问题管理(服务台)、项目组合管理、服务目录和服务级别管理。

Management as a Service: Includes application management, asset and change management, capacity management, problem management (service desk), project portfolio management, service catalog, and service level management.

 

图像 安全即服务:云服务提供商将一套安全服务与现有操作环境集成。这可能包括身份验证、防病毒、反恶意软件/间谍软件、入侵检测和安全事件管理等。

Security as a Service: The integration of a suite of security services with the existing operating environment by the cloud service provider. This may include authentication, antivirus, antimalware/spyware, intrusion detection, and security event management, among others.

 

XaaS

XaaS

 

XaaS 是云服务配置的最新发展。该缩写词有三种普遍接受的解释,所有这些解释几乎都是相同的:

XaaS is the latest development in the provisioning of cloud services. The acronym has three generally accepted interpretations, all of which mean pretty much the same thing:

 

图像 任何事物即服务:任何事物指除三种传统服务之外的任何服务。

Anything as a Service: Where anything refers to any service other than the three traditional services.

 

图像 一切即服务:尽管有时会详细说明此版本,但它有些误导,因为没有供应商提供所有可能的云服务。此版本旨在表明云服务提供商正在提供广泛的服务产品。

Everything as a Service: Although this version is sometimes spelled out, it is somewhat misleading, because no vendor offers every possible cloud service. This version is meant to suggest that the cloud service provider is providing a wide range of service offerings.

 

图像 X 即服务:其中X可以代表任何可能的云服务选项。

X as a Service: Where X can represent any possible cloud service option.

 

XaaS 提供商在三个方面超越了传统的“三大”服务。

XaaS providers go beyond the traditional “big three” services in three ways.

 

图像一些提供商将 SaaS、PaaS 和 IaaS 打包在一起,以便客户可以一站式购买企业所依赖的基本云服务。

Some providers package together SaaS, PaaS, and IaaS so that the customer can do one-stop shopping for the basic cloud services that enterprises are coming to rely on.

 

图像XaaS 提供商可以逐渐取代 IT 部门通常为内部客户提供的更广泛的服务。此策略减轻了 IT 部门获取、维护、修补和升级各种常见应用程序和服务的负担。

XaaS providers can increasingly displace a wider range of services that IT departments typically offer internal customers. This strategy reduces the burden on the IT department to acquire, maintain, patch, and upgrade a variety of common applications and services.

 

图像XaaS 模型通常涉及客户和提供商之间的持续关系,其中存在定期状态更新和真正的双向实时信息交换。实际上,这是一种托管服务产品,使客户能够随时只承诺所需的服务量,并随着客户需求的发展和可用产品的扩展而扩展服务的数量和类型。

The XaaS model typically involves an ongoing relationship between customer and provider, in which there are regular status updates and a genuine two-way, real-time exchange of information. In effect, this is a managed service offering, enabling the customer to commit to only the amount of service needed at any time, and to expand both the amount and types of service as the customers needs evolve and as the offerings available expand.

 

XaaS 对客户的吸引力越来越大,因为它具有以下优势:

XaaS is becoming increasingly attractive to customers because it offers these benefits:

 

图像总成本得到控制和降低。通过将最大范围的 IT 服务外包给合格的专家合作伙伴,企业可以看到即时和长期的成本降低。由于需要在本地采购的硬件和软件少得多,因此资本支出大幅减少。运营费用较低,因为所使用的资源是根据当前需求量身定制的,并且仅随着需求的变化而变化。

Total costs are controlled and lowered. By outsourcing the maximum range of IT services to a qualified expert partner, an enterprise sees both immediate and long-term cost reductions. Capital expenditures are drastically reduced because of the need to acquire far less hardware and software locally. Operating expenses are lower because the resources used are tailored to immediate needs and change only as needs change.

 

图像风险降低。XaaS 提供商提供商定的服务级别。这消除了内部项目中常见的成本超支风险。使用单一提供商提供广泛的服务可以提供解决问题的单一联系点。

Risks are lowered. XaaS providers offer agreed service levels. This eliminates the risks of cost overruns so common with internal projects. The use of a single provider for a wide range of services provides a single point of contact for resolving problems.

 

图像创新步伐加快。IT 部门不断冒着安装新硬件和软件的风险,结果在安装完成时却发现功能更强大、成本更低或两者兼而有之的更高版本可用。借助 XaaS,可以更快地提供最新产品。此外,提供商可以对客户反馈做出快速反应。

Innovation is accelerated. IT departments constantly run the risk of installing new hardware and software only to find that later versions that are more capable, less expensive, or both are available by the time installation is complete. With XaaS, the latest offerings are more quickly available. Further, providers can react quickly to customer feedback.

 

13.3 云部署模型

13.3 Cloud Deployment Models

 

许多组织中一个日益突出的趋势是将大部分甚至全部信息技术 (IT) 运营转移到企业云计算。该组织面临着有关云所有权和管理的一系列选择。本节介绍四种最著名的云计算部署模型。

An increasingly prominent trend in many organizations is to move a substantial portion or even all information technology (IT) operations to enterprise cloud computing. The organization is faced with a range of choices as to cloud ownership and management. This section looks at the four most prominent deployment models for cloud computing.

 

公有云

Public Cloud

 

公共云基础设施可供公众或大型行业团体使用,并由销售云服务的组织拥有。云提供商既负责云基础设施,又负责云内数据和操作的控制。公共云可能由企业、学术或政府组织或其某种组合拥有、管理和运营。它存在于云服务提供商的场所。

A public cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. The cloud provider is responsible both for the cloud infrastructure and for the control of data and operations within the cloud. A public cloud may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud service provider.

 

在公共云模型中,所有主要组件都位于企业防火墙之外,位于多租户基础设施中。应用程序和存储可通过安全 IP 在互联网上提供,并且可以免费或按使用量付费。此类云提供易于使用的消费者类型服务,例如:Amazon 和 Google 按需 Web 应用程序或容量、Yahoo! 邮件、Facebook 或 LinkedIn 社交媒体提供免费的照片存储空间。尽管公共云价格低廉并且可以根据需求进行扩展,但它们通常不提供或提供较低的服务级别协议 (SLA),并且可能无法提供私有云或混合云产品中出现的数据丢失或损坏的保证。公共云适合不需要防火墙内预期的相同服务级别的消费者和实体。此外,公共 IaaS 云不一定提供限制和遵守隐私法,这仍然是订户或企业最终用户的责任。在许多公共云中,重点是消费者和中小型企业,这些企业提供按使用付费的定价,通常相当于每 GB 几美分。这里的服务示例可能是图片和音乐共享、笔记本电脑备份或文件共享。

In a public cloud model, all major components are outside the enterprise firewall, located in a multitenant infrastructure. Applications and storage are made available over the Internet via secured IP, and can be free or offered at a pay-per-usage fee. This type of cloud supplies easy-to-use consumer-type services, such as: Amazon and Google on-demand web applications or capacity, Yahoo! Mail, and Facebook or LinkedIn social media providing free storage for photographs. Although public clouds are inexpensive and scale to meet needs, they typically provide no or lower service level agreements (SLAs) and may not offer the guarantees against data loss or corruption found with private or hybrid cloud offerings. The public cloud is appropriate for consumers and entities not requiring the same levels of service that are expected within the firewall. Also, the public IaaS clouds do not necessarily provide for restrictions and compliance with privacy laws, which remain the responsibility of the subscriber or corporate end user. In many public clouds, the focus is on the consumer and small and medium-size businesses where pay-per-use pricing is available, often equating to pennies per gigabyte. Examples of services here might be picture and music sharing, laptop backup, or file sharing.

 

公共云的主要优势是成本。订阅组织只需为其所需的服务和资源付费,并且可以根据需要进行调整。此外,订户还大大减少了管理开销。主要关注点是安全;然而,许多公共云提供商已经展示了强大的安全控制能力,事实上,这些提供商可能拥有更多的资源和专业知识来致力于私有云中可用的安全性。

The major advantage of the public cloud is cost. A subscribing organization pays only for the services and resources it needs and can adjust these as needed. Further, the subscriber has greatly reduced management overhead. The principal concern is security; however, a number of public cloud providers have demonstrated strong security controls and, in fact, such providers may have more resources and expertise to devote to security that would be available in a private cloud.

 

私有云

Private Cloud

 

私有云在组织的内部 IT 环境中实施。组织可以选择内部管理云或将管理功能外包给第三方。此外,云服务器和存储设备可能存在于本地或外部。

A private cloud is implemented within the internal IT environment of the organization. The organization may choose to manage the cloud in house or contract the management function to a third party. In addition, the cloud servers and storage devices may exist on premises or off premises.

 

私有云可以通过内联网或互联网通过虚拟专用网络 (VPN) 向员工或业务部门内部提供 IaaS,以及向其分支机构提供软件(应用程序)或存储即服务。在这两种情况下,私有云都是利用现有基础设施、提供捆绑服务并进行退款的一种方式。或来自组织网络隐私的完整服务。通过私有云提供的服务示例包括按需数据库、按需电子邮件和按需存储。

Private clouds can deliver IaaS internally to employees or business units through an intranet or the Internet via a virtual private network (VPN), as well as software (applications) or storage as services to its branch offices. In both cases, private clouds are a way to leverage existing infrastructure, and deliver and chargeback for bundled or complete services from the privacy of the organization’s network. Examples of services delivered through the private cloud include database on demand, e-mail on demand, and storage on demand.

 

选择私有云的一个关键动机是安全性。私有云基础设施可以对数据存储的地理位置和其他安全方面提供更严格的控制。其他好处包括轻松的资源共享和快速部署到组织实体。

A key motivation for opting for a private cloud is security. A private cloud infrastructure offers tighter controls over the geographic location of data storage and other aspects of security. Other benefits include easy resource sharing and rapid deployment to organizational entities.

 

社区云

Community Cloud

 

社区云具有私有云和公共云的特征。与私有云一样,社区云的访问也受到限制。与公共云一样,云资源由多个独立组织共享。共享社区云的组织有类似的需求,通常需要相互交换数据。使用社区云概念的行业的一个例子是医疗保健行业。可以实施社区云以遵守政府隐私和其他法规。社区参与者可以以受控的方式交换数据。

A community cloud shares characteristics of private and public clouds. Like a private cloud, a community cloud has restricted access. Like a public cloud, the cloud resources are shared among a number of independent organizations. The organizations that share the community cloud have similar requirements and, typically, a need to exchange data with each other. One example of an industry that is using the community cloud concept is the healthcare industry. A community cloud can be implemented to comply with government privacy and other regulations. The community participants can exchange data in a controlled fashion.

 

云基础设施可以由参与组织或第三方管理,并且可以存在于内部或外部。在此部署模型中,成本分摊到的用户数量少于公共云(但多于私有云),因此仅实现了云计算的部分成本节约潜力。

The cloud infrastructure may be managed by the participating organizations or a third party and may exist on premises or off premises. In this deployment model, the costs are spread over fewer users than a public cloud (but more than a private cloud), so only some of the cost savings potential of cloud computing are realized.

 

混合云

Hybrid Cloud

 

混合云基础设施是两个或多个云(私有云、社区云或公共云)的组合,它们仍然是唯一的实体,但通过标准化或专有技术绑定在一起,从而实现数据和应用程序的可移植性(例如,用于云之间负载平衡的云爆发) )。通过混合云解决方案,敏感信息可以放置在云的私有区域中,不太敏感的数据可以利用公共云的优势。

The hybrid cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (for example, cloud bursting for load balancing between clouds). With a hybrid cloud solution, sensitive information can be placed in a private area of the cloud, and less sensitive data can take advantage of the benefits of the public cloud.

 

混合公共/私有云解决方案对于小型企业尤其有吸引力。许多安全问题较少的应用程序可以以相当大的成本节省来卸载,而无需组织将更敏感的数据和应用程序迁移到公共云。

A hybrid public/private cloud solution can be particularly attractive for smaller businesses. Many applications for which security concerns are less can be offloaded at considerable cost savings without committing the organization to moving more sensitive data and applications to the public cloud.

 

表 13.2列出了四种云部署模型的一些相对优点和缺点。

Table 13.2 lists some of the relative strengths and weaknesses of the four cloud deployment models.

 
图像

表 13.2云部署模型的比较

TABLE 13.2 Comparison of Cloud Deployment Models

 

13.4 云架构

13.4 Cloud Architecture

 

为了更好地理解云系统的元素,本节研究了两种参考架构。

To gain a better understanding of the elements of a cloud system, this section examines two reference architectures.

 

NIST 云计算参考架构

NIST Cloud Computing Reference Architecture

 

NIST SP 500-292,NIST 云计算参考架构,2011 年 9 月,建立了参考架构,描述如下:

NIST SP 500-292, NIST Cloud Computing Reference Architecture, September 2011, establishes a reference architecture, described as follows:

 

NIST 云计算参考架构重点关注云服务提供“什么”的要求,而不是“如何”设计解决方案和实施。该参考架构旨在帮助理解云计算中复杂的操作。不代表特定云计算系统的系统架构;相反,它是一种使用通用参考框架来描述、讨论和开发特定于系统的体系结构的工具。

The NIST cloud computing reference architecture focuses on the requirements of “what” cloud services provide, not a “how to” design solution and implementation. The reference architecture is intended to facilitate the understanding of the operational intricacies in cloud computing. It does not represent the system architecture of a specific cloud computing system; instead it is a tool for describing, discussing, and developing a system-specific architecture using a common framework of reference.

 

NIST 开发参考架构时考虑到以下目标:

NIST developed the reference architecture with the following objectives in mind:

 

图像在整体云计算概念模型的背景下说明和理解各种云服务。

To illustrate and understand the various cloud services in the context of an overall cloud computing conceptual model.

 

图像为消费者理解、讨论、分类和比较云服务提供技术参考。

To provide a technical reference for consumers to understand, discuss, categorize, and compare cloud services.

 

图像促进对安全性、互操作性、可移植性和参考实现的候选标准的分析。

To facilitate the analysis of candidate standards for security, interoperability, and portability and reference implementations.

 
云计算参与者
 

图 13.4中描述的参考架构根据角色和职责定义了五个主要参与者,如下面的列表中所定义。

The reference architecture depicted in Figure 13.4 defines five major actors in terms of the roles and responsibilities, as defined in the list that follows.

 
图像

图 13.4 NIST 云计算参考架构

FIGURE 13.4 NIST Cloud Computing Reference Architecture

 

图像 云消费者:与云提供商保持业务关系并使用云提供商服务的个人或组织。

Cloud consumer: A person or organization that maintains a business relationship with and uses services from cloud providers.

 

图像 云提供商 (CP):负责向相关方提供服务的个人、组织或实体。

Cloud provider (CP): A person, organization, or entity responsible for making a service available to interested parties.

 

图像 云审计师:能够对云服务、信息系统运行、云实施的性能、安全性进行独立评估的一方。

Cloud auditor: A party that can conduct independent assessment of cloud services, information system operations, performance, and security of the cloud implementation.

 

图像 云代理:管理云服务的使用、性能和交付并协商 CP 和云消费者之间关系的实体。

Cloud broker: An entity that manages the use, performance and delivery of cloud services and negotiates relationships between CPs and cloud consumers.

 

图像 云运营商:提供从 CP 到云消费者的云服务连接和传输的中介。

Cloud carrier: An intermediary that provides connectivity and transport of cloud services from CPs to cloud consumers.

 

云消费者和提供商的角色已经讨论过。总而言之,云提供商可以提供一项或多项云服务来满足云消费者的 IT 和业务需求。对于三种服务模型(SaaS、PaaS、IaaS)中的每一种,CP 都提供支持该服务模型所需的存储和处理设施,以及面向云服务消费者的云接口。对于 SaaS,CP 在云基础设施上部署、配置、维护和更新软件应用程序的操作,以便以预期的服务级别向云消费者提供服务。SaaS 的消费者可以是为其成员提供软件访问权限的组织应用程序、直接使用软件应用程序的最终用户或为最终用户配置应用程序的软件应用程序管理员。

The roles of the cloud consumer and provider have already been discussed. To summarize, a cloud provider can provide one or more of the cloud services to meet IT and business requirements of cloud consumers. For each of the three service models (SaaS, PaaS, IaaS), the CP provides the storage and processing facilities needed to support that service model, together with a cloud interface for cloud service consumers. For SaaS, the CP deploys, configures, maintains, and updates the operation of the software applications on a cloud infrastructure so that the services are provisioned at the expected service levels to cloud consumers. The consumers of SaaS can be organizations that provide their members with access to software applications, end users who directly use software applications, or software application administrators who configure applications for end users.

 

对于PaaS,CP管理平台的计算基础设施并运行提供平台组件的云软件,例如运行时软件执行堆栈、数据库和其他中间件组件。PaaS 的云消费者可以利用 CP 提供的工具和执行资源来开发、测试、部署和管理云环境中托管的应用程序。

For PaaS, the CP manages the computing infrastructure for the platform and runs the cloud software that provides the components of the platform, such as runtime software execution stack, databases, and other middleware components. Cloud consumers of PaaS can employ the tools and execution resources provided by CPs to develop, test, deploy, and manage the applications hosted in a cloud environment.

 

对于 IaaS,CP 获取服务底层的物理计算资源,包括服务器、网络、存储和托管基础设施。IaaS 云消费者反过来使用这些计算资源(例如虚拟计算机)来满足其基本计算需求。

For IaaS, the CP acquires the physical computing resources underlying the service, including the servers, networks, storage, and hosting infrastructure. The IaaS cloud consumer in turn uses these computing resources, such as a virtual computer, for their fundamental computing needs.

 

载体是一种网络设施,在云消费者和CP之间提供云服务的连接和传输。通常,CP 将与云运营商建立 SLA,以提供与向云消费者提供的 SLA 级别一致的服务,并且可能要求云运营商在云消费者和 CP 之间提供专用且安全的连接。

The cloud carrier is a networking facility that provides connectivity and transport of cloud services between cloud consumers and CPs. Typically, a CP will set up SLAs with a cloud carrier to provide services consistent with the level of SLAs offered to cloud consumers, and may require the cloud carrier to provide dedicated and secure connections between cloud consumers and CPs.

 

当云服务过于复杂而云消费者无法轻松管理时,云代理非常有用。云代理可以提供三个方面的支持:

A cloud broker is useful when cloud services are too complex for a cloud consumer to easily manage. Three areas of support can be offered by a cloud broker:

 

图像 服务中介:这些是增值服务,例如身份管理、性能报告和增强的安全性。

Service intermediation: These are value-added services, such as identity management, performance reporting, and enhanced security.

 

图像 服务聚合:代理组合多个云服务,以满足单个 CP 未专门满足的消费者需求,或者优化性能或最小化成本。

Service aggregation: The broker combines multiple cloud services to meet consumer needs not specifically addressed by a single CP, or to optimize performance or minimize cost.

 

图像 服务套利:这与服务聚合类似,只不过聚合的服务不固定。服务套利意味着经纪商可以灵活地选择多个机构的服务。例如,云经纪人可以使用信用评分服务来衡量和选择得分最高的机构。

Service arbitrage: This is similar to service aggregation except that the services being aggregated are not fixed. Service arbitrage means a broker has the flexibility to choose services from multiple agencies. The cloud broker, for example, can use a credit-scoring service to measure and select an agency with the best score.

 

云审计师可以从安全控制、隐私影响、性能等方面评估CP提供的服务。审核员是一个独立实体,可以确保 CP 符合一组标准。

A cloud auditor can evaluate the services provided by a CP in terms of security controls, privacy impact, performance, and so on. The auditor is an independent entity that can assure that the CP conforms to a set of standards.

 

图 13.5说明了参与者之间的交互。云消费者可以直接或通过云代理向云提供商请求云服务。云审计员进行独立审计,并可能联系其他人以收集必要的信息。该图显示云网络问题实际上涉及三种不同类型的网络。对于云生产商来说,网络架构就是典型的大型数据中心,由高性能服务器机架和存储设备,与高速架顶式以太网交换机互连。这种情况下的关注点集中在虚拟机放置和移动、负载平衡和可用性问题。企业网络可能具有完全不同的架构,通常包括许多 LAN、服务器、工作站、PC 和移动设备,具有广泛的网络性能、安全和管理问题。生产者和消费者对云运营商的关注点(与许多用户一样)是创建虚拟网络的能力,以及适当的SLA和安全保证。

Figure 13.5 illustrates the interactions between the actors. A cloud consumer may request cloud services from a cloud provider directly or via a cloud broker. A cloud auditor conducts independent audits and may contact the others to collect necessary information. This figure shows that cloud networking issues in fact involve three separate types of networks. For a cloud producer, the network architecture is that of a typical large data center, which consists of racks of high-performance servers and storage devices, interconnected with high-speed top-of-rack Ethernet switches. The concerns in this context focus on virtual machine placement and movement, load balancing, and availability issues. The enterprise network is likely to have a quite different architecture, typically including a number of LANs, servers, workstations, PCs, and mobile devices, with a broad range of network performance, security, and management issues. The concern of both producer and consumer with respect to the cloud carrier, which is shared with many users, is the ability to create virtual networks, with appropriate SLA and security guarantees.

 
图像

图 13.5云计算中参与者之间的交互

FIGURE 13.5 Interactions Between Actors in Cloud Computing

 
云提供商架构组件
 

图 13.4显示了云提供商的四个主要架构组件。服务编排是指支持云提供商安排、协调和管理计算资源以向云消费者提供云服务的活动的系统组件的组合。编排显示为三层架构。我们在这里看到了熟悉的通过资源抽象层将物理资源映射到消费者可见的服务。资源抽象组件的示例包括软件元素,例如管理程序、虚拟机、虚拟数据存储和其他计算资源抽象。

Figure 13.4 shows four main architectural components of the cloud provider. Service orchestration refers to the composition of system components to support the cloud provider activities in arrangement, coordination, and management of computing resources to provide cloud services to cloud consumers. Orchestration is shown as a three-layer architecture. We see here the familiar mapping of physical resources to consumer-visible services by a resource abstraction layer. Examples of resource abstraction components include software elements such as hypervisors, virtual machines, virtual data storage, and other computing resource abstractions.

 

云服务管理包括管理和运营云消费者所需或建议的服务所需的所有与服务相关的功能。它涵盖三个主要领域:

Cloud service management includes all the service-related functions necessary for the management and operation of those services required by or proposed to cloud consumers. It covers three main areas:

 

图像 业务支持:包括与客户打交道的业务相关服务,例如会计、计费、报告和审计。

Business support: This consists of business-related services dealing with customers, such as accounting, billing, reporting, and auditing.

 

图像 供应/配置:这包括用于为消费者快速部署云系统、调整配置和资源分配以及监控和报告资源使用情况的自动化工具。

Provisioning/configuration: This includes automated tools for rapid deployment of cloud systems for consumers, adjusting configuration and resource assignment, and monitoring and reporting on resource usage.

 

图像 可移植性/互操作性:消费者对支持数据和系统可移植性以及服务互操作性的云产品感兴趣。这在混合云环境中特别有用,在混合云环境中,消费者可能希望更改本地和异地站点之间的数据和应用程序的分配。

Portability/interoperability: Consumers are interested in cloud offering that support data and system portability and service interoperability. This is particularly useful in a hybrid cloud environment, in which the consumer may want to change the allocation of data and applications between on-premises and off-premises sites.

 

安全隐私是涵盖云提供商架构的所有层和元素的问题。

Security and privacy are concerns that encompass all layers and elements of the cloud provider’s architecture.

 

ITU-T 云计算参考架构

ITU-T Cloud Computing Reference Architecture

 

查看 2014 年 8 月发布的 ITU-T Y.3502《云计算架构》中的替代参考架构很有用。该架构的范围比 NIST 架构更广泛,并将该架构视为分层功能架构。

It is useful to look at an alternative reference architecture, published in ITU-T Y.3502, Cloud Computing Architecture, August 2014. This architecture is somewhat broader in scope than the NIST architecture and views the architecture as a layered functional architecture.

 
云计算参与者
 

在查看四层参考架构之前,我们需要注意 NIST 和 ITU-T 在定义云参与者方面的差异。ITU-T 文件定义了三个参与者:

Before looking at the four-layer reference architecture, we need to note the differences between NIST and ITU-T in defining cloud actors. The ITU-T document defines three actors:

 

图像 云服务客户或用户:为了使用云服务而建立业务关系的一方。业务关系是与云服务提供商或云服务合作伙伴的关系。云服务客户的关键活动包括但不限于使用云服务、执行业务管理以及管理云服务的使用。

Cloud service customer or user: A party that is in a business relationship for the purpose of using cloud services. The business relationship is with a cloud service provider or a cloud service partner. Key activities for a cloud service customer include, but are not limited to, using cloud services, performing business administration, and administering use of cloud services.

 

图像 云服务提供商:提供云服务的一方。云服务提供商专注于提供云服务所需的活动以及确保将其交付给云服务客户以及云服务维护所需的活动。云服务提供商包括一系列广泛的活动(例如,提供服务、部署和监控服务、管理业务计划、提供审计数据)以及众多子角色(例如,业务经理、服务经理、网络提供商、安全和服务提供商)。风险经理)。

Cloud service provider: A party that makes cloud services available. The cloud service provider focuses on activities necessary to provide a cloud service and activities necessary to ensure its delivery to the cloud service customer as well as cloud service maintenance. The cloud service provider includes an extensive set of activities (for example, provide service, deploy and monitor service, manage business plan, provide audit data) as well as numerous subroles (for example, business manager, service manager, network provider, security and risk manager).

 

图像 云服务合作伙伴:参与支持或辅助云服务提供商或云服务客户或两者的活动的一方。云服务合作伙伴的活动因云服务类型而异合作伙伴及其与云服务提供商和云服务客户的关系。云服务合作伙伴的示例包括云审核员和云服务经纪人。

Cloud service partner: A party which is engaged in support of, or auxiliary to, activities of either the cloud service provider or the cloud service customer, or both. A cloud service partner’s activities vary depending on the type of partner and their relationship with the cloud service provider and the cloud service customer. Examples of cloud service partners include cloud auditor and cloud service broker.

 

图 13.6描述了参与者及其在云生态系统中的一些可能的角色。

Figure 13.6 depicts the actors with some of their possible roles in a cloud ecosystem.

 
图像

图 13.6参与者及其在云生态系统中的一些可能的角色

FIGURE 13.6 Actors with Some of Their Possible Roles in a Cloud Ecosystem

 
分层架构
 

图13.7显示了四层ITU-T云计算参考架构。用户层是云服务客户与云服务提供商和云服务进行交互、执行与客户相关的管理活动以及监控云服务的用户界面。它还可以将云服务的输出提供给另一个资源层实例。当云接收到服务请求时,它会编排自己的资源和/或其他云的资源(如果通过云间功能接收到其他云的资源),并通过用户层提供后台云服务。用户层是CSU所在的层。

Figure 13.7 shows the four-layer ITU-T cloud computing reference architecture. The user layer is the user interface through which a cloud service customer interacts with a cloud service provider and with cloud services, performs customer related administrative activities, and monitors cloud services. It can also offer the output of cloud services to another resource layer instance. When the cloud receives service requests, it orchestrates its own resources and/or other clouds’ resources (if other clouds’ resources are received via the intercloud function) and provides back cloud services through the user layer. The user layer is where the CSU resides.

 
图像

图 13.7 ITU-T 云计算参考架构

FIGURE 13.7 ITU-T Cloud Computing Reference Architecture

 

访问层提供了一个通用接口,用于手动和自动访问服务层中可用的功能。这些能力既包括服务的能力,也包括管理和业务的能力。访问层使用云应用程序编程接口(API)接受用户/合作伙伴/其他提供商云服务消费请求,以访问提供商的服务和资源。

The access layer provides a common interface for both manual and automated access to the capabilities available in the services layer. These capabilities include both the capabilities of the services and also the administration and business capabilities. The access layer accepts user/partner/other provider cloud service consumption requests using cloud application programming interfaces (APIs) to access the provider’s services and resources.

 

访问层负责通过一个或多个访问机制呈现云服务功能,例如,作为通过浏览器访问的一组网页,或者作为一组可以通过编程方式访问的Web服务。接入层还处理安全和 QoS。

The access layer is responsible for presenting cloud service capabilities over one or more access mechanisms—for example, as a set of web pages accessed via a browser, or as a set of web services that can be accessed programmatically. The access layer also deals with security and QoS.

 

服务层包含云服务提供商提供的服务(例如SaaS、PaaS、IaaS)的实现。服务层包含并控制实现服务的软件组件(但不包括底层管理程序、主机操作系统、设备驱动程序等),并安排通过访问层向用户提供云服务。

The service layer contains the implementation of the services provided by a cloud service provider (for example, SaaS, PaaS, IaaS). The service layer contains and controls the software components that implement the services (but not the underlying hypervisors, host operating systems, device drivers, and so on), and arranges to offer the cloud services to users via the access layer.

 

资源层由提供者可用的物理资源以及适当的抽象和控制机制组成。例如,管理程序软件可以提供虚拟网络、虚拟存储和虚拟机功能。它还包含在提供商和用户之间提供底层网络连接所需的云核心传输网络功能。

The resource layer consists of physical resources available to the provider and the appropriate abstraction and control mechanisms. For example, hypervisor software can provide virtual network, virtual storage, and virtual machine capabilities. It also houses the cloud core transport network functionality that is required to provide underlying network connectivity between the provider and users.

 

多层功能包括一系列功能组件,它们与其他四层的功能组件交互以提供支持能力。它包括五类功能组件:

The multilayer functions include a series of functional components that interact with functional components of the four other layers to provide supporting capabilities. It includes five categories of functional components:

 

图像 集成:负责连接架构中的功能组件,创建统一的架构。集成功能组件在云架构及其功能组件以及与外部功能组件之间提供消息路由和消息交换机制。

Integration: Responsible for connecting functional components in the architecture to create a unified architecture. The integration functional components provide message routing and message exchange mechanisms within the cloud architecture and its functional components as well as with external functional components.

 

图像 安全系统:负责应用安全相关控制来减轻云计算环境中的安全威胁。安全系统功能组件包含支持云服务所需的所有安全设施。

Security systems: Responsible for applying security related controls to mitigate the security threats in cloud computing environments. The security systems functional components encompass all the security facilities required to support cloud services.

 

图像 运营支持系统 (OSS):包含管理和控制向客户提供的云服务所需的一组运营相关管理功能。OSS还参与系统监控,包括警报和事件的使用。

Operational support systems (OSS): Encompass the set of operational related management capabilities that are required to manage and control the cloud services offered to customers. OSS is also involved in system monitoring, including the use of alarms and events.

 

图像 业务支持系统 (BSS)包含处理客户和支持流程(例如计费和帐户)的一组与业务相关的管理功能。

Business support systems (BSS): Encompass the set of business-related management capabilities dealing with customers and supporting processes, such as billing and accounts.

 

图像 开发功能:支持云服务开发者的云计算活动。这包括支持服务实现的开发/组合、构建管理和测试管理。

Development function: Supports the cloud computing activities of the cloud service developer. This includes support of the development/composition of service implementations, build management and test management.

 

13.5 SDN和NFV

13.5 SDN and NFV

 

云计算早于软件定义网络 (SDN) 和网络功能虚拟化 (NFV)。虽然云计算可以并且已经在没有 SDN 和 NFV 的情况下进行部署和管理,但这两种技术对于私有云运营商和公共云服务提供商都具有吸引力。

Cloud computing predates software-defined networking (SDN) and network functions virtualization (NFV). While cloud computing can be, and has been, deployed and managed without SDN and NFV, both of these technologies are compelling for both private cloud operators and public cloud service providers.

 

简而言之,SDN 提供的是对网络资源和流量模式的集中命令和控制。单个中央控制器或几个分布式协作控制器可以配置和管理虚拟网络并提供 QoS 和安全服务。这使得网络管理不再需要单独配置和编程每个网络设备。

In simplified and generalized terms, what SDN offers is centralized command and control of network resources and traffic patterns. A single central controller, or a few distributed cooperating controllers, can configure and manage virtual networks and provide QoS and security services. This relieves network management of the need to individually configure and program each networking device.

 

NFV 提供的是设备的自动配置。NFV 虚拟化网络设备,例如交换机和防火墙以及计算和存储设备,并提供根据需要横向扩展和自动部署设备的工具。因此,每个项目或云客户不需要单独的设备或对现有设备进行重新编程。相关设备可以通过Hypervisor管理平台进行集中部署,并配置规则和策略。

What NFV offers is automated provisioning of devices. NFV virtualizes network devices, such as switches and firewalls, as well as compute and storage devices, and provides tools for scaling out and automatically deploying devices as needed. Therefore, each project or cloud customer does not require separate equipment or reprogramming of existing equipment. Relevant devices can be centrally deployed via a hypervisor management platform and configured with rules and policies.

 

服务提供商的角度

Service Provider Perspective

 

大型云服务提供商将与成千上万的客户打交道,他们对容量的需求不断变化,无论是在流量承载能力方面还是在计算和存储资源方面。提供商需要能够快速管理整个网络以处理流量瓶颈,管理具有不同 QoS 要求的大量流量,并处理中断和其他问题。所有这些都必须以安全的方式完成。SDN可以提供所需的整个网络的整体视图以及对网络的安全、集中管理。提供商需要能够为客户快速、透明地部署、扩展/扩展和向上/向下扩展虚拟交换机、服务器和存储。NFV 提供了用于管理此流程的自动化工具。

A large cloud service provider will deal with thousands of customers, with dynamic needs for capacity, both in terms of traffic-carrying capacity and in terms of compute and storage resources. The provider needs to be able to rapidly manage the entire network to handle traffic bottlenecks, manage numerous traffic flows with differing QoS requirements, and deal with outages and other problems. All of this must be done in a secure manner. SDN can provide the needed overall view of the entire network and secure, centralized management of the network. The provider needs to be able to deploy and scale in/out and up/down virtual switches, servers, and storage rapidly and transparently for the customer. NFV provides the automated tools for managing this process.

 

私有云视角

Private Cloud Perspective

 

大中型企业看到将大部分基于网络的运营迁移到私有云或混合云有许多优势。他们的客户是最终用户、IT 经理和开发人员。各个部门可能有大量、动态的 IT 资源需求。企业通常需要开发一个或多个服务器场/数据中心。随着总体资源需求的增长,部署和管理所有设备的能力变得更具挑战性。此外,还有安全要求,例如防火墙和防病毒部署。使情况变得更加复杂的是,随着项目的增长和消耗更多的资源,需要进行负载平衡,因此对快速可扩展性和设备配置的需求变得更加明显。自动配置虚拟网络设备的需求几乎成为一种要求,并且对于所有新的虚拟设备(特别是与现有物理设备结合),集中命令和控制成为必须。SDN 和 NFV 为企业提供了成功开发和管理内部使用的私有云资源的工具。

Large and medium-size enterprises see a number of advantages to moving much of their network-based operations to a private cloud or a hybrid cloud. Their customers are end users, IT managers, and developers. Individual departments may have substantial, dynamic IT resource needs. The enterprise typically will need to develop one or multiple server farms / data centers. As the overall resource demand grows, the ability to deploy and manage all of the equipment becomes more challenging. In addition, there are security requirements, such as firewalls, and antivirus deployments. Further complicating the scenario is the need for load balancing as projects grow and consume more resources, thus the need for rapid scalability and provisioning of devices becomes more pronounced. The need for automated provisioning of virtual networking equipment almost becomes a requirement, and with all the new virtual devices (especially in conjunction with the existing physical devices), centralized command and control becomes a must. SDN and NFV provide the enterprise with the tools to successfully develop and manage private cloud resources for internal use.

 

ITU-T 云计算功能参考架构

ITU-T Cloud Computing Functional Reference Architecture

 

图13.7展示了Y.3502中定义的四层云计算参考架构。对于我们对云网络和 NFV 之间关系的讨论,查看此架构的早期版本是有启发性的,该版本在 ITU- T 云计算技术焦点组技术报告第 2 部分:功能要求和参考架构(2012 年 2 月)和如图13.8所示。该架构具有与 Y.3502 相同的四​​层结构,但提供了最低层(称为资源和网络层)的更多细节。该层由三个子层组成,如下面的列表中所定义。

Figure 13.7 showed the four-layer cloud computing reference architecture defined in Y.3502. For our discussion of the relationship between cloud networking and NFV, it is instructive to look at an earlier version of this architecture, defined in ITU-T Focus Group on Cloud Computing Technical Report, Part 2: Functional Requirements and Reference Architecture, February 2012 and shown in Figure 13.8. This architecture has the same four-layer structure as that of Y.3502, but provides more detail of the lowest layer, called the resources and network layer. This layer consists of three sublayers as defined in the list that follows.

 
图像

图 13.8 ITU-T 云计算功能参考架构

FIGURE 13.8 ITU-T Cloud Computing Functional Reference Architecture

 

图像 资源编排:上层和用户对计算、存储和网络资源进行管理、监控和调度为可消费的服务。它控制虚拟化资源的创建、修改、定制和释放。

Resource orchestration: The management, monitoring, and scheduling of computing, storage, and network resources into consumable services by the upper layers and users. It controls the creation, modification, customization and release of virtualized resources.

 

图像 池化和虚拟化:虚拟化功能将物理资源转变为虚拟机、虚拟存储和虚拟网络。这些虚拟资源又由资源编排根据用户需求进行管理和控制。池化和虚拟化层中的软件和平台资产是运行时环境、应用程序以及用于编排和实施云服务的其他软件资产。

Pooling and virtualization: The virtualization function turns physical resources into virtual machines, virtual storage, and virtual networks. These virtual resources are in turn managed and controlled by the resource orchestration, based on user demand. Software and platform assets in the pooling and virtualization layer are the runtime environment, applications, and other software assets used to orchestrate and implement cloud services.

 

图像 物理资源:提供云服务的基础的计算、存储和网络资源。这些资源可能包括驻留在云数据中心内部的资源(例如,计算服务器、存储服务器和云内网络),以及驻留在数据中心外部的资源,通常是网络资源,例如云间网络和核心传输网络。

Physical resources: The computing, storage, and network resources that are fundamental to providing cloud services. These resources may include those that reside inside cloud-data centers (for example, computing servers, storage servers, and intracloud networks), and those that reside outside of data centers, typically networking resources, such as intercloud networks and core transport networks.

 

将 ITU-T 架构的资源和网络层与 NFV 架构框架进行比较(参见第 7 章网络功能虚拟化:概念和架构”中的图 7.7)表明,资源和网络层对于较低的两个子层,可以使用网络功能虚拟化基础设施(NFVI),对于资源编排子层使用虚拟化基础设施管理器(VIM)来实现。因此,通用工具(通常以开放软件的形式)加上商业现成的物理资源,使云提供商能够有效地部署和管理云服务和资源。将云架构中的许多上层功能映射到虚拟网络功能或SDN控制和应用层功能也应该是一种有效的策略。因此,NFV和SDN都有助于云服务的部署。

A comparison of the resources and network layer of the ITU-T architecture to the NFV architectural framework (refer to Figure 7.7 in Chapter 7, “Network Functions Virtualization: Concepts and Architecture”) suggests that the resources and network layer can be implemented using the network functions virtualization infrastructure (NFVI) for the lower two sublayers and virtualized infrastructure manager (VIM) for the resource orchestration sublayer. Thus, the general-purpose tools, often in the form of open software, plus commercial off-the-shelf physical resources, enable the cloud provider to effectively deploy and manage cloud services and resources. It should also be an effective strategy to map many of the upper layer functions in the cloud architecture to either virtual network functions or SDN control and application layer functions. Thus, both NFV and SDN contribute to the deployment of cloud services.

 

类似的推理适用于之前图 13.4中所示的 NIST 参考架构。服务编排组件由三层组成:物理资源层、资源抽象与控制层、服务层。下面两层与 NFV 架构的 NFVI 部分非常对应。

Similar reasoning applies to the NIST reference architecture shown previously in Figure 13.4. The service orchestration component consists of three layers: physical resource, resource abstraction and control, and service layers. The lower two layers correspond quite well to the NFVI portion of the NFV architecture.

 

13.6 关键术语

13.6 Key Terms

 

完成本章后,您应该能够定义以下术语。

After completing this chapter, you should be able to define the following terms.

 

一切即服务 (XaaS)

Anything as a Service (XaaS)

 

云审核员

cloud auditor

 

云经纪人

cloud broker

 

云运营商

cloud carrier

 

云计算

cloud computing

 

云消费者

cloud consumer

 

云网络

cloud networking

 

云提供商

cloud provider

 

云服务客户

cloud service customer

 

云服务管理

cloud service management

 

云服务合作伙伴

cloud service partner

 

云服务提供商

cloud service provider

 

云储存

cloud storage

 

通信即服务 (CaaS)

Communications as a Service (CaaS)

 

社区云

community cloud

 

计算即服务 (CompaaS)

Compute as a Service (CompaaS)

 

数据存储即服务 (DSaaS)

Data Storage as a Service (DSaaS)

 

混合云

hybrid cloud

 

基础设施即服务 (IaaS)

Infrastructure as a Service (IaaS)

 

网络即服务 (NaaS)

Network as a service (NaaS)

 

平台即服务 (PaaS)

Platform as a Service (PaaS)

 

私有云

private cloud

 

公共云

public cloud

 

服务编排

service orchestration

 

软件即服务 (SaaS)

Software as a Service (SaaS)

 

第 14 章物联网:组件

Chapter 14. The Internet of Things: Components

 

我们掌握着希腊公民的闲暇,这是通过我们的机械奴隶实现的,机械奴隶的数量远远超过每个自由人的十二到十五人。这些机械奴隶会向我们伸出援助之手。当我们走进一个房间时,按一下按钮,就有十几盏灯照亮了我们的道路。另一个奴隶一天二十四小时坐在我们的恒温器前,调节我们家的温度。另一个人日夜坐在我们的自动冰箱旁。他们启动了我们的车;运行我们的电机;擦亮我们的鞋子,剪掉我们的头发。它们的快速性实际上消除了时间和空间。

Within our grasp is the leisure of the Greek citizen, made possible by our mechanical slaves, which far outnumber his twelve to fifteen per free man. These mechanical slaves jump to our aid. As we step into a room, at the touch of a button a dozen light our way. Another slave sits twenty-four hours a day at our thermostat, regulating the heat of our home. Another sits night and day at our automatic refrigerator. They start our car; run our motors; shine our shoes, and cut our hair. They practically eliminate time and space by their very fleetness.

 

—— 《观赏主义》,Jay B. Nash,1932 年

Spectatoritis, Jay B. Nash, 1932

 

本章目标 学习完本章后,您应该能够

 

图像解释物联网的范围。

 

图像列出并讨论支持物联网的事物的五个主要组成部分。

 

Chapter Objectives: After studying this chapter, you should be able to

 

Explain the scope of the Internet of Things.

 

List and discuss the five principal components of IoT-enabled things.

 
 

1.7 节简要概述了物联网 (IoT) 的概念。本章和下一章提供更详细的处理。本章首先讨论物联网的基本概念和范围。然后,第 14.3 节列出并讨论了支持物联网的事物的主要组件。第 15 章物联网:架构和实现”讨论了 IoT 架构和实现。

Section 1.7 provided a brief overview of the concept of the Internet of Things (IoT). This chapter and the next provide a more detailed treatment. This chapter begins with a discussion of the basic concepts and scope of IoT. Then, Section 14.3 lists and discusses the main components of IoT-enabled things. Chapter 15, “The Internet of Things: Architecture and Implementation,” discusses IoT architecture and implementation.

 

14.1 物联网时代开始

14.1 The IoT Era Begins

 

未来的互联网将涉及大量使用标准通信架构向最终用户提供服务的对象。预计几年内将有数百亿个此类设备实现互连。这将在物理世界与计算、数字内容、分析、应用程序和服务之间提供新的交互。由此产生的网络范式被称为物联网 (IoT)。这将为各个领域的用户、制造商和服务提供商提供前所未有的机会。受益于物联网数据收集、分析和自动化功能的领域包括健康和健身、医疗保健、家庭监控和自动化、节能和智能电网、农业、运输、环境监测、库存和产品管理、安全、

The future Internet will involve large numbers of objects that use standard communications architectures to provide services to end users. It is envisioned that tens of billions of such devices will be interconnected in a few years. This will provide new interactions between the physical world and computing, digital content, analysis, applications, and services. This resulting networking paradigm is being called the Internet of Things (IoT). This will provide unprecedented opportunities for users, manufacturers, and service providers in a wide variety of sectors. Areas that will benefit from IoT data collection, analysis, and automation capabilities include health and fitness, healthcare, home monitoring and automation, energy savings and smart grid, farming, transportation, environmental monitoring, inventory and product management, security, surveillance, education, and many others.

 

许多领域都在发生技术发展。毫不奇怪,无线网络研究正在进行,而且实际上已经进行了相当长一段时间,但之前的名称包括移动计算、普适计算、无线传感器网络和网络物理系统。针对低功耗协议、安全和隐私、寻址、低成本无线电、长电池寿命的节能方案以及不可靠和间歇性睡眠节点网络的可靠性,已经开发了许多提案和产品。这些无线发展对于物联网的发展至关重要。此外,开发领域还涉及赋予物联网设备社交网络功能、利用机器对机器通信、存储和处理大量实时数据、

Technology development is occurring in many areas. Not surprisingly, wireless networking research is being conducted and actually has been conducted for quite a while now, but under previous titles such as mobile computing, pervasive computing, wireless sensor networks, and cyber-physical systems. Many proposals and products have been developed for low power protocols, security and privacy, addressing, low cost radios, energy efficient schemes for long battery life, and reliability for networks of unreliable and intermittently sleeping nodes. These wireless developments are crucial for the growth of IoT. In addition, areas of development have also involved giving IoT devices social networking capabilities, taking advantage of machine-to-machine communications, storing and processing large amounts of real-time data, and application programming to provide end users with intelligent and useful interfaces to these devices and data.

 

许多人提出了物联网的愿景。2014 年物联网杂志上的一篇论文[ STAN14],作者提出了对个人的好处,例如数字化日常生活活动、与周围智能空间进行通信的仿生皮肤补丁,以提高舒适度、健康和安全性,以及优化城市服务获取的智能手表和身体节点。全市范围内的好处包括高效、无延误的交通,无需红绿灯。智能建筑不仅可以控制能源和安全,还可以支持健康和保健活动。正如人们通过智能手机获得了接触世界的新方式一样,物联网也将在我们持续获取所需信息和服务的方式上创造一种新的范式。无论人们对物联网的看法有多积极,或者对物联网何时实现的预测如何,考虑这个未来无疑是令人兴奋的。

Many have provided a vision for the IoT. In a 2014 paper in the Internet of Things Journal [STAN14], the author suggests personal benefits such as digitizing daily life activities, patches of bionic skin to communicate with surrounding smart spaces for improved comfort, health, and safety, and smart watches and body nodes that optimize access to city services. Citywide benefits could include efficient, delay-free transportation with no traffic lights. Smart buildings could not only control energy and security, but also support health and wellness activities. In the same ways people have been provided new ways of accessing the world through smartphones, the IoT will create a new paradigm in the ways we have continuous access to needed information and services. Regardless of the level of positivity in one’s view of the IoT or predictions about how soon this will be realized, it is certainly exciting to consider this future.

 

14.2 物联网的范围

14.2 The Scope of the Internet of Things

 

ITU-T Y.2060 《物联网概述》,2012 年 6 月,提供了以下定义,表明了物联网的范围:

ITU-T Y.2060, Overview of the Internet of Things, June 2012, provides the following definitions that suggest the scope of IoT:

 

图像 物联网 (IoT):信息社会的全球基础设施,基于现有和不断发展的可互操作信息和通信技术,通过互连(物理和虚拟)事物来实现高级服务。

Internet of Things (IoT): A global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies.

 

图像 物:对于物联网而言,这是物理世界(物理事物)或信息世界(虚拟事物)的物体,能够被识别并集成到通信网络中。

Thing: With regard to the IoT, this is an object of the physical world (physical things) or the information world (virtual things), which is capable of being identified and integrated into communication networks.

 

图像 设备:对于物联网来说,这是一种具有强制通信功能和可选的传感、驱动、数据捕获、数据存储和数据处理功能的设备。

Device: With regard to the IoT, this is a piece of equipment with the mandatory capabilities of communication and the optional capabilities of sensing, actuation, data capture, data storage, and data processing.

 

大多数文献将物联网视为涉及智能对象的相互通信。Y.2060 对此进行了扩展,以包括虚拟事物,这是第 14.4 节中讨论的主题。

Most of the literature views the IoT as involving intercommunicating smart objects. Y.2060 extends this to include virtual things, a topic examined in Section 14.4.

 

Y.2060将物联网描述为在已经提供“任何时间”和“任何地点”通信的信息和通信技术中添加了“任何事物通信”的维度(见图14.1

Y.2060 characterizes the IoT as adding the dimension “Any THING communication” to the information and communication technologies which already provide “any TIME” and “any PLACE” communication (see Figure 14.1).

 
图像

图 14.1物联网引入的新维度

FIGURE 14.1 The New Dimension Introduced in the Internet of Things

 

设计物联网[ MCEW13 ] 中,作者将物联网的元素浓缩为一个简单的方程式:

In Designing the Internet of Things [MCEW13], the author condenses the elements of the IoT into a simple equation:

 

物理对象 + 控制器、传感器、执行器 + 互联网 = 物联网

Physical objects + Controllers, Sensors, Actuators + Internet = IoT

 

这个等式巧妙地抓住了物联网的本质。物联网的实例由物理对象的集合组成,其中每个对象

This equation neatly captures the essence of the Internet of Things. An instance of the IoT consists of a collection of physical objects, each of which

 

图像包含提供智能的微控制器

Contains a microcontroller that provides intelligence

 

图像包含测量某些物理参数的传感器/作用于某些物理参数的执行器

Contains a sensor that measures some physical parameter/actuator that acts on some physical parameter

 

图像提供通过互联网或其他网络进行通信的方式

Provides a means of communicating via the Internet or some other network

 

等式中未涵盖但在 Y.2060 定义中提及的一项是识别单个事物的手段,通常称为标签我们在14.3 节中讨论标签。

One item not covered in the equation, and referred to in the Y.2060 definition, is a means of identification of an individual thing, usually referred to as a tag. We discuss tags in Section 14.3.

 

请注意,尽管文献中总是使用“物联网”一词,但更准确的描述是“物联网”或“物联网”。例如,智能家居安装由家中的许多设备组成,这些设备通过 Wi-Fi 或蓝牙与某个中央控制器互连。在工厂或农场环境中,可能存在物联网,使企业应用程序能够与环境交互并运行应用程序以利用物联网。在这些示例中,通常但并非总是可以通过互联网进行远程访问。无论这种互联网连接是否可用,站点上的智能对象的集合以及任何其他本地计算和存储设备都可以被表征为网络或物联网。

Note that although the phrase the Internet of Things is always used in the literature, a more accurate description would be an Internet of Things, or a network of things. A smart home installation, for example, consists of a number of things in the home that are interconnected via Wi-Fi or Bluetooth with some central controller. In a factory or farm setting, there may be a network of things enabling enterprise applications to interact with the environment and run applications to exploit the network of things. In these examples, it is usually but not invariably the case that remote access over the Internet is available. Whether such Internet connection is available, the collection of smart objects at a site, plus any other local compute and storage device, can be characterized as a network or an Internet of Things.

 

表 14.1基于 Beechem Research 的图表,给出了物联网范围的概念。

Table 14.1, based on a graphic from Beechem Research, gives an idea of the scope of IoT.

 
图像
图像
图像

资料来源:比彻姆研究

Source: Beecham Research

 

表 14.1物联网

TABLE 14.1 The Internet of Things

 

14.3 物联网的组成部分

14.3 Components of IoT-Enabled Things

 

物联网设备的关键要素是传感器、执行器、微控制器、通信手段(收发器)和识别手段(射频识别 [RFID])。沟通手段是一个重要组成部分;否则,设备无法加入网络。几乎所有支持物联网的事物都具有某种计算能力,无论多么初级。设备可能含有一种或多种其他成分。我们将在本节中逐一研究这些成分。

The key ingredients of an IoT-enabled thing are sensors, actuators, a microcontroller, a means of communication (transceiver), and a means of identification (radio-frequency identification [RFID]). A means of communication is an essential ingredient; otherwise, the device cannot participate in a network. Nearly all IoT-enabled things have some sort of computing capability, no matter how rudimentary. And a device may have one or more of the other ingredients. We examine each of these ingredients in this section.

 

传感器

Sensors

 

传感器测量物理、化学或生物实体的某些参数,并以模拟电压电平或数字信号的形式传递与观察到的特性成比例电子信号。在这两种情况下,传感器输出通常被输入到微控制器或其他管理元件。

A sensor measures some parameter of a physical, chemical, or biological entity and delivers an electronic signal proportional to the observed characteristic, either in the form of an analog voltage level or a digital signal. In both cases, the sensor output is typically input to a microcontroller or other management element.

 

图 14.2的左侧改编自带有模式和框架的中间件架构[ KRAK09 ]中的一个图,显示了传感器和该传感器的控制器之间的接口。传感器可以定期或在超过定义的阈值时主动向控制器发送传感器数据;这是主动模式。替代地或附加地,传感器可以在被动模式下操作,当控制器请求时提供数据。

The left side of Figure 14.2, adapted from a figure in Middleware Architecture with Patterns and Frameworks [KRAK09], shows the interface between a sensor and the controller for that sensor. A sensor may take the initiative in sending sensor data to the controller, either periodically or when a defined threshold is crossed; this is the active mode. Alternatively, or in addition, the sensor may operate in the passive mode, providing data when requested by the controller.

 
图像

图 14.2传感器和执行器的接口

FIGURE 14.2 Interfaces for Sensors and Actuators

 
传感器类型
 

物联网部署中使用的传感器种类繁多。使用纳米技术的传感器可能非常小,也可能非常大,例如监控摄像头。传感器可以单独部署,或者一方面可以部署很少的数量,另一方面可以部署大量的传感器。表 14.2来自发明家实用电子学[ SCHE13 ],列出了各种类型的传感器以及每种类型的示例。

The variety of sensors used in IoT deployments is huge. Sensors may be extremely tiny, using nanotechnology, or quite substantial, such as a surveillance camera. Sensors may be deployed individually or in very small numbers on the one hand, or in large numbers on the other. Table 14.2, from Practical Electronics for Inventors [SCHE13], lists various types of sensors, with examples of each type.

 
图像
图像

表 14.2传感器类型

TABLE 14.2 Types of Sensors

 
精度、准确度和分辨率
 

在讨论传感器时需要区分两个关键概念:精度和准确度。准确度是指测量结果与真实情况的接近程度,如图 14.3中的靶心所示。精度是指同一物理量的多次测量彼此之间的接近程度。如果传感器的精度较低,则会产生系统误差。如果传感器精度低,就会产生再现性误差。

Two key concepts need to be distinguished in discussing sensors: precision and accuracy. Accuracy refers to how close a measurement comes to the truth, represented as a bull’s eye in Figure 14.3. Precision refers to how close multiple measurements of the same physical quantity are to each other. If a sensor has low accuracy, this produces a systematic error. If a sensor has low precision, it produces a reproducibility error.

 
图像

图 14.3精度和准确度

FIGURE 14.3 Precision and Accuracy

 

与精度相关的是分辨率的概念。如果传感器具有高精度,则物理量值的非常小的变化会导致传感器测量值的非常小的变化。如果传感器输出是数字的,则需要更多位来表示测量结果,以捕获底层物理参数的这些微小变化。

Related to precision is the concept of resolution. If a sensor has high precision, a very small change in the value of a physical quantity results in a very small change in the value of the sensor measurement. If the sensor output is digital, more bits are needed to represent the measurement to capture these small changes in the underlying physical parameter.

 

执行器

Actuators

 

执行接收来自控制器的电子信号,并通过与其环境交互来做出响应,从而对物理、化学或生物实体的某些参数产生影响。图 14.2的右侧显示了执行器和该执行器的控制器之间的接口。在直接操作模式下,控制器发送激活执行器的信号。在回调模式下,执行器响应控制器报告完成或问题,并请求进一步的指令。

An actuator receives an electronic signal from a controller and responds by interacting with its environment to produce an effect on some parameter of a physical, chemical, or biological entity. The right side of Figure 14.2 shows the interface between an actuator and the controller for that actuator. In the direct mode of operation, the controller sends a signal that activates the actuator. In callback mode, the actuator responds to the controller to report completion or a problem, and requests further instructions.

 

执行器一般分为以下几类:

Actuators are generally classified as follows:

 

图像 液压:液压执行器由气缸或液压马达组成,利用液压动力促进机械过程。机械运动以线性、旋转或振荡运动的形式给出输出。

Hydraulic: Hydraulic actuators consist of a cylinder or fluid motor that utilizes hydraulic power to facilitate mechanical process. The mechanical motion gives an output in terms of linear, rotary, or oscillatory motion.

 

图像 气动:气动执行器的工作原理与液压执行器相同,只是使用压缩气体代替液体。压缩气体形式的能量被转换为线性或旋转运动,具体取决于执行器的类型。

Pneumatic: Pneumatic actuators work on the same concept as hydraulic actuators except compressed gas is used instead of liquid. Energy, in the form of compressed gas, is converted into linear or rotary motion, depending on the type of actuator.

 

图像 电动:电动执行器是由电机驱动的装置,可将电能转换为机械扭矩。

Electric: Electric actuators are devices powered by motors that convert electrical energy to mechanical torque.

 

图像 机械:通过将旋转运动转换为直线运动的功能。齿轮、导轨、滑轮、链条等装置用于帮助转换运动。

Mechanical: Function through converting rotary motion to linear motion. Devices such as gears, rails, pulley, chain, and others are used to help convert the motion.

 

微控制器

Microcontrollers

 

智能设备中的“智能”是由深度嵌入的微控制器提供的。本节定义了一些关键术语并解释了微控制器的概念。

The “smart” in a smart device is provided by a deeply embedded microcontroller. This section defines some key terms and explains the concept of a microcontroller.

 
嵌入式系统
 

术语“嵌入式系统”是指在具有特定功能或一组功能的产品中使用电子设备和软件,而不是通用计算机,例如笔记本电脑或台式系统。每年售出数亿台计算机,包括笔记本电脑、个人计算机、工作站、服务器、大型机和超级计算机。相比之下,每年生产数百亿个嵌入大型设备中的微控制器。如今,许多(也许是大多数)使用电力的设备都具有嵌入式计算系统。很可能在不久的将来,几乎所有此类设备都将具有嵌入式计算系统。

The term embedded system refers to the use of electronics and software within a product that has a specific function or set of functions, as opposed to a general-purpose computer, such as a laptop or desktop system. Hundreds of millions of computers are sold every year, including laptops, personal computers, workstations, servers, mainframes, and supercomputers. In contrast, tens of billions of microcrontrollers are produced each year that are embedded within larger devices. Today, many, perhaps most, devices that use electric power have an embedded computing system. It is likely that in the near future nearly all such devices will have embedded computing systems.

 

具有嵌入式系统的设备类型几乎无法一一列举。示例包括手机、数码相机、摄像机、计算器、微波炉、家庭安全系统、洗衣机、照明系统、恒温器、打印机、各种汽车系统(例如,变速箱控制、巡航控制、燃油喷射、防抱死制动系统)和悬挂系统)、网球拍、牙刷以及自动化系统中的多种类型的传感器和执行器。

Types of devices with embedded systems are almost too numerous to list. Examples include cell phones, digital cameras, video cameras, calculators, microwave ovens, home security systems, washing machines, lighting systems, thermostats, printers, various automotive systems (for example, transmission control, cruise control, fuel injection, anti-lock brakes, and suspension systems), tennis rackets, toothbrushes, and numerous types of sensors and actuators in automated systems.

 

通常,嵌入式系统与其环境紧密耦合。这可能会因与环境交互的需要而产生实时限制。诸如所需的运动速度、所需的测量精度和所需的持续时间之类的约束决定了软件操作的时间安排。如果必须同时管理多个活动,则会带来更复杂的实时约束。

Often, embedded systems are tightly coupled to their environment. This can give rise to real-time constraints imposed by the need to interact with the environment. Constraints, such as required speeds of motion, required precision of measurement, and required time durations, dictate the timing of software operations. If multiple activities must be managed simultaneously, this imposes more complex real-time constraints.

 

图 14.4一般性地显示了嵌入式系统组织。除了处理器和内存之外,还有许多元素与典型台式机或笔记本电脑不同:

Figure 14.4 shows in general terms an embedded system organization. In addition to the processor and memory, there are a number of elements that differ from the typical desktop or laptop computer:

 
图像

图 14.4嵌入式系统的可能组织

FIGURE 14.4 Possible Organization of an Embedded System

 

图像可能有多种接口使系统能够测量、操纵外部环境以及以其他方式与外部环境交互。嵌入式系统通常通过传感器和执行器与外部世界交互(感知、操纵和通信),因此通常是反应式系统;反应式系统与环境持续交互,并按照环境确定的速度执行。

There may be a variety of interfaces that enable the system to measure, manipulate, and otherwise interact with the external environment. Embedded systems often interact (sense, manipulate, and communicate) with the external world through sensors and actuators and hence are typically reactive systems; a reactive system is in continual interaction with the environment and executes at a pace determined by that environment.

 

图像人机界面可能像闪光灯一样简单,也可能像实时机器人视觉一样复杂。在许多情况下,没有人机界面。

The human interface may be as simple as a flashing light or as complicated as real-time robotic vision. In many cases, there is no human interface.

 

图像诊断端口可用于诊断受控系统,而不仅仅是诊断计算机。

The diagnostic port may be used for diagnosing the system that is being controlled—not just for diagnosing the computer.

 

图像专用现场可编程 (FPGA)、专用 (ASIC) 甚至非数字硬件可用于提高性能或可靠性。

Special-purpose field programmable (FPGA), application-specific (ASIC), or even nondigital hardware may be used to increase performance or reliability.

 

图像软件通常具有固定的功能并且特定于应用程序。

Software often has a fixed function and is specific to the application.

 

图像效率对于嵌入式系统至关重要。它们针对能源、代码大小、执行时间、重量和尺寸以及成本进行了优化。

Efficiency is of paramount importance for embedded systems. They are optimized for energy, code size, execution time, weight and dimensions, and cost.

 

与通用计算机系统还有几个值得注意的相似之处:

There are several noteworthy areas of similarity to general-purpose computer systems as well:

 

图像即使对于名义上固定功能的软件,现场升级以修复错误、提高安全性和添加功能的能力对于嵌入式系统(而不仅仅是消费设备)来说也变得非常重要。

Even with nominally fixed function software, the ability to field upgrades to fix bugs, improve security, and add functionality has become very important for embedded systems, and not just in consumer devices.

 

图像最近的一项发展是支持多种应用程序的嵌入式系统平台。智能手机和音频/视频设备(例如智能电视)就是很好的例子。

One comparatively recent development has been of embedded system platforms that support a wide variety of apps. Good examples of this are smartphones and audio/visual devices, such as smart TVs.

 
应用处理器与专用处理器
 

应用处理器是根据处理器执行复杂操作系统(例如 Linux、Android 和 Chrome)的能力来定义的。因此,应用处理器本质上是通用的。使用嵌入式应用处理器的一个很好的例子是智能手机。该嵌入式系统旨在支持众多应用程序并执行各种功能。

Application processors are defined by the processor’s ability to execute complex operating systems, such as Linux, Android, and Chrome. Thus, the application processor is general-purpose in nature. A good example of the use of an embedded application processor is the smartphone. The embedded system is designed to support numerous apps and perform a wide variety of functions.

 

大多数嵌入式系统都采用专用处理器,顾名思义,专用处理器专用于主机设备所需的一项或少量特定任务。因为这样的嵌入式系统专用于一个或多个特定任务,所以可以对处理器和相关组件进行设计以减小尺寸和成本。

Most embedded systems employ a dedicated processor, which, as the name implies, is dedicated to one or a small number of specific tasks required by the host device. Because such an embedded system is dedicated to a specific task or tasks, the processor and associated components can be engineered to reduce size and cost.

 
微处理器
 

早期的微处理器芯片包括寄存器、算术/逻辑单元 (ALU) 和某种控制单元或指令处理逻辑。随着晶体管密度的增加,指令集架构的复杂性也随之增加,并最终增加内存和多个处理器。现代微处理器芯片包括多个处理器(称为核心)和大量高速缓存。然而,如图 14.5所示,微处理器芯片仅包含构成计算机系统的部分元件。

Early microprocessor chips included registers, an arithmetic/logic unit (ALU), and some sort of control unit or instruction processing logic. As transistor density increased, it became possible to increase the complexity of the instruction set architecture, and ultimately to add memory and more than one processor. Contemporary microprocessor chips include multiple processors, called cores, and a substantial amount of cache memory. However, as shown in Figure 14.5, a microprocessor chip includes only some of the elements that make up a computer system.

 
图像

图 14.5多核计算机主要元件的简化视图

FIGURE 14.5 Simplified View of Major Elements of a Multicore Computer

 

大多数计算机,包括智能手机和平板电脑中的嵌入式计算机,以及个人计算机、笔记本电脑和工作站,都安装在主板上。在描述这种安排之前,我们需要定义一些术语。印刷电路板是一种刚性的平板,用于固定和互连芯片和其他电子元件。该板由两层到十层组成,通过蚀刻到板中的铜路径互连组件。计算机中的主印刷电路板 (PCB) 称为系统板或主板,插入主板插槽的较小的称为扩展板。

Most computers, including embedded computers in smartphones and tablets, plus personal computers, laptops, and workstations, are housed on a motherboard. Before describing this arrangement, we need to define some terms. A printed circuit board is a rigid, flat board that holds and interconnects chips and other electronic components. The board is made of layers, typically two to ten, that interconnect components via copper pathways that are etched into the board. The main printed circuit board (PCB) in a computer is called a system board or motherboard, and smaller ones that plug into the slots in the main board are called expansion boards.

 

主板上最突出的元件是芯片。芯片是一块半导体材料(通常是硅),在其上制造电子电路和逻辑门由此产生的产品称为集成电路

The most prominent elements on the motherboard are the chips. A chip is a single piece of semiconducting material, typically silicon, upon which electronic circuits and logic gates are fabricated. The resulting product is referred to as an integrated circuit.

 

主板包含用于处理器芯片的插槽或插座,处理器芯片通常包含多个单独的内核,即所谓的多核处理器。还有用于存储芯片、I/O 控制器芯片和其他关键计算机组件的插槽。对于台式计算机,扩展插槽可以在扩展板上容纳更多组件。因此,现代主板仅连接几个单独的芯片组件,每个芯片包含几千到数亿个晶体管。

The motherboard contains a slot or socket for the processor chip, which typically contains multiple individual cores, in what is known as a multicore processor. There are also slots for memory chips, I/O controller chips, and other key computer components. For desktop computers, expansion slots enable the inclusion of more components on expansion boards. Thus, a modern motherboard connects only a few individual chip components, with each chip containing from a few thousand up to hundreds of millions of transistors.

 
微控制器
 

微控制器芯片对可用逻辑空间的使用有本质上的不同。图 14.6一般性地显示了微控制器芯片上常见的元件。如图所示,微控制器是一个单芯片,包含核心、用于程序的非易失性存储器 (ROM)、用于输入和输出的易失性存储器 (RAM)、时钟和 I/O 控制单元。微控制器的处理器部分比其他微处理器具有小得多的硅面积和高得多的能效。

A microcontroller chip makes a substantially different use of the logic space available. Figure 14.6 shows in general terms the elements typically found on a microcontroller chip. As shown, a microcontroller is a single chip that contains the core, nonvolatile memory for the program (ROM), volatile memory for input and output (RAM), a clock, and an I/O control unit. The processor portion of the microcontroller has a much lower silicon area than other microprocessors and much higher energy efficiency.

 
图像

图 14.6典型微控制器芯片元件

FIGURE 14.6 Typical Microcontroller Chip Elements

 

也称为芯片上的计算机,每年有数十亿个微控制器单元嵌入到从玩具到电器再到汽车的无数产品中。例如,一辆车辆可以使用 70 个或更多微控制器。通常,特别是对于较小、较便宜的微控制器,它们被用作特定任务的专用处理器。例如,微控制器在自动化过程中被大量使用。通过对输入提供简单的反应,它们可以控制机械、打开和关闭风扇、打开和关闭阀门等。它们是现代工业技术不可或缺的一部分,也是生产能够处理极其复杂功能的机械的最便宜的方法之一。

Also called a computer on a chip, billions of microcontroller units are embedded each year in myriad products from toys to appliances to automobiles. For example, a single vehicle can use 70 or more microcontrollers. Typically, especially for the smaller, less expensive microcontrollers, they are used as dedicated processors for specific tasks. For example, microcontrollers are heavily utilized in automation processes. By providing simple reactions to input, they can control machinery, turn fans on and off, open and close valves, and so forth. They are integral parts of modern industrial technology and are among the most inexpensive ways to produce machinery that can handle extremely complex functionalities.

 

微控制器有多种物理尺寸和处理能力。处理器的架构范围从 4 位到 32 位。微控制器往往比微处理器慢得多,通常在兆赫 (MHz) 范围内运行,而不是微处理器的千兆赫 (GHz) 速度。微控制器的另一个典型特征是它不提供人类交互。微控制器是为特定任务进行编程,嵌入其设备中,并在需要时执行。

Microcontrollers come in a range of physical sizes and processing power. Processors range from 4-bit to 32-bit architectures. Microcontrollers tend to be much slower than microprocessors, typically operating in the megahertz (MHz) range rather than the gigahertz (GHz) speeds of microprocessors. Another typical feature of a microcontroller is that it does not provide for human interaction. The microcontroller is programmed for a specific task, embedded in its device, and executes as and when required.

 
深度嵌入式系统
 

嵌入式系统的一个子集以及相当多的子集被称为深度嵌入式系统。尽管这个术语在技术和商业文献中广泛使用,但您在互联网上搜索(至少作者是这样)找不到简单的定义是徒劳的。一般来说,我们可以说深度嵌入式系统的处理器的行为很难被程序员和用户观察到。深度嵌入式系统使用微控制器而不是微处理器,一旦设备的程序逻辑被烧录到 ROM(只读存储器)中,就无法进行编程,并且不与用户交互。

A subset of embedded systems, and a quite numerous subset, is referred to as deeply embedded systems. Although this term is widely used in the technical and commercial literature, you will search the Internet in vain (at least the writer did) for a straightforward definition. Generally, we can say that a deeply embedded system has a processor whose behavior is difficult to observe both by the programmer and the user. A deeply embedded system uses a microcontroller rather than a microprocessor, is not programmable once the program logic for the device has been burned into ROM (read-only memory), and has no interaction with a user.

 

深度嵌入式系统是专用的单一用途设备,可以检测环境中的某些内容,执行基本级别的处理,然后对结果执行某些操作。深度嵌入式系统通常具有无线功能并出现在网络配置中,例如部署在大面积(例如工厂、农田)上的传感器网络。物联网在很大程度上依赖于深度嵌入式系统。通常,深度嵌入式系统在内存、处理器大小、时间和功耗方面具有极大的资源限制。

Deeply embedded systems are dedicated, single-purpose devices that detect something in the environment, perform a basic level of processing, and then do something with the results. Deeply embedded systems often have wireless capability and appear in networked configurations, such as networks of sensors deployed over a large area (for example, factory, agricultural field). The Internet of Things depends heavily on deeply embedded systems. Typically, deeply embedded systems have extreme resource constraints in terms of memory, processor size, time, and power consumption.

 

收发器

Transceivers

 

收发包含传输和接收数据所需的电子器件。大多数 IoT 设备都包含无线收发器,能够使用 Wi-Fi、ZigBee 或其他无线方案进行通信。

A transceiver contains the electronics needed to transmit and receive data. Most IoT devices contain a wireless transceiver, capable of communication using Wi-Fi, ZigBee, or some other wireless scheme.

 

图 14.7是显示收发器基本元件的简化框图。图中上部是发送器,它接受一些模拟或数字输入信号作为输入。该信号被调制到载波频率上。这是通过调制器完成的,调制器的输入是源信号加上振荡器生成的载波。产生的信号经过一个或多个放大器,然后由天线发射。

Figure 14.7 is a simplified block diagram showing the basic elements of a transceiver. The upper part of the figure is the transmitter, which takes some analog or digital input signal as input. This signal is modulated onto a carrier frequency. This is done by a modulator whose input is the source signal plus a carrier wave generated by an oscillator. The resulting signal goes through one or more amplifiers and then is transmitted by an antenna.

 
图像

图 14.7简化的收发器框图

FIGURE 14.7 Simplified Transceiver Block Diagram

 

图14.7的下半部分是接收器。接收器的输入是天线捕获的信号。低噪声放大器 (LNA) 是一种电子放大器,用于放大非常微弱的信号(例如,由天线捕获的信号)。LNA 旨在提高所需的信号功率,同时尽可能减少噪声和失真。在 LNA 之后,使用滤波器来消除或减少不需要的噪声和信号分量。然后解调器将滤波器输出转换为所需的基带模拟或数字信号。

The lower part of Figure 14.7 is the receiver. The input to the receiver is the signal captured by the antenna. A low-noise amplifier (LNA) is an electronic amplifier used to amplify very weak signals (for example, captured by an antenna). The LNA is designed to boost the desired signal power while adding as little noise and distortion as possible. Following the LNA, a filter is used to eliminate or reduce unwanted noise and signal components. Then a demodulator converts the filter output to the desired baseband analog or digital signal.

 

射频识别

RFID

 

射频识别 (RFID)技术利用无线电波来识别物品,正日益成为物联网的一项支持技术。RFID 系统的主要元件是标签和阅读器。RFID 标签是用于物体、动物和人类跟踪的小型可编程设备。它们有各种形状、尺寸、功能和成本。RFID 读取器获取并有时重写存储在操作范围(几英寸到几英尺)内的 RFID 标签上的信息。阅读器通常连接到计算机系统,该系统记录并格式化所获取的信息以供进一步使用。

Radio-frequency identification (RFID) technology, which uses radio waves to identify items, is increasingly becoming an enabling technology for IoT. The main elements of an RFID system are tags and readers. RFID tags are small programmable devices used for object, animal and human tracking. They come in a variety of shapes, sizes, functionalities, and costs. RFID readers acquire and sometimes rewrite information stored on RFID tags that come within operating range (a few inches up to several feet). Readers are usually connected to a computer system that records and formats the acquired information for further uses.

 
应用领域
 

RFID的应用范围广泛且不断扩大。四大类应用是跟踪和识别、支付和储值系统、访问控制和防伪。

The range of applications of RFID is wide and ever expanding. Four major categories of application are tracking and identification, payment and stored-value systems, access control, and anticounterfeiting.

 

RFID 最广泛的用途是用于跟踪和识别。RFID 的早期应用是用于大型高价值物品,例如火车车厢和集装箱。随着价格的下降和技术的进步,这种应用急剧扩大。例如,数以百万计的宠物已植入 RFID 设备,以便识别丢失的动物并将其归还给主人。另一个例子:跟踪和管理供应变化过程中的数十亿消费品和组件是一项艰巨的任务,RFID 标签已被广泛采用来简化这项任务。为了使这一过程尽可能便宜且可互操作,已经开发了标准化识别方案,称为电子产品代码(EPC)

The most widespread use of RFID is for tracking and identification. Early use of RFID was for large high-value items such as train cars and shipping containers. As the price has dropped and the technology improved, this application has expanded dramatically. For example, millions of pets have implanted RFID devices allowing lost animals to be identified and returned to their owner. Another example: tracking and managing the billions of consumer items and components that flow through supply changes is a formidable task and there has been widespread adoption of RFID tags to simplify the task. To make this process as inexpensive and interoperable as possible, standardized identification schemes have been developed, known as electronic product codes (EPCs).

 

另一个关键领域是支付和储值系统。高速公路上的电子收费系统就是一个例子。另一种是在零售商店和娱乐场所使用电子钥匙“fob”进行支付。

Another key area is payment and stored value systems. Electronic toll systems on highways are one example. Another is the use of electronic key “fobs” for payment at retail stores and entertainment venues.

 

访问控制是另一个广泛的应用领域。许多公司和大学都使用 RFID 感应卡控制大楼门禁。滑雪场和其他休闲场所也是这项技术的大量用户。

Access control is another widespread application area. RFID proximity cards control building access at many companies and universities. Ski resorts and other leisure venues are also heavy users of this technology.

 

RFID 作为一种有效的防伪工具。赌场在筹码上使用 RFID 标签,以防止使用假冒筹码。处方药行业使用 RFID 标签来应对假药市场。这些标签用于确保药品在供应链中流通时的血统,并用于检测盗窃行为。

RFID also is effective as an anti-counterfeiting tool. Casinos use RFID tags on chips to prevent the use of counterfeit chips. The prescription drug industry uses RFID tags to cope with the counterfeit drug market. The tags are used to ensure the pedigree of drugs as they move through the supply chain and also to detect theft.

 

以下是这四个领域的部分应用列表:

Here is a partial list of applications in these four areas:

 

图像 追踪与识别:

Tracking and identification:

 

图像大型资产,例如火车车厢和集装箱

Large assets, for example, railway cars and shipping containers

 

图像带有坚固标签的牲畜

Livestock with rugged tags

 

图像植入标签的宠物

Pets with implanted tags

 

图像EPC 供应链管理

Supply-chain management with EPC

 

图像通过 EPC 进行库存控制

Inventory control with EPC

 

图像使用 EPC 进行零售结帐

Retail checkout with EPC

 

图像回收和废物处理

Recycling and waste disposal

 

图像病人监护

Patient monitoring

 

图像在学校标记孩子

Tagging children at school

 

图像驾驶执照和护照

Drivers’ licenses and passports

 

图像 支付和储值系统:

Payment and stored-value systems:

 

图像电子收费系统

Electronic toll systems

 

图像非接触式信用卡(例如美国运通蓝卡)

Contact-less credit cards (for example, American Express Blue card)

 

图像储值系统(例如,ExxonMobil Speedpass)

Stored-valued systems (for example, ExxonMobil Speedpass)

 

图像地铁和巴士通票

Subway and bus passes

 

图像赌场代币和音乐会门票

Casino tokens and concert tickets

 

图像 访问控制:

Access control:

 

图像使用感应卡构建门禁

Building access with proximity cards

 

图像滑雪缆车通行证

Ski lift passes

 

图像演唱会门票

Concert tickets

 

图像汽车点火系统

Automobile ignition systems

 

图像 防伪:

Anticounterfeiting:

 

图像赌场代币(例如,拉斯维加斯永利赌场)

Casino tokens (for example, Wynn Casino Las Vegas)

 

图像高面额纸币

High-denomination currency notes

 

图像奢侈品(例如普拉达)

Luxury goods (for example, Prada)

 

图像处方药

Prescription drugs

 
标签
 

图 14.8显示了 RFID 系统的关键要素。主要无线通信发生在标签和阅读器之间。阅读器检索识别信息,并根据应用检索有关标记项目的其他信息。然后,读取器将其传送到计算机系统,该计算机系统包括RFID相关数据库和RFID相关应用程序。

Figure 14.8 shows the key elements of an RFID system. Primary wireless communication is between a tag and a reader. The reader retrieves identification information and, depending on the application, other information about the tagged item. The reader then communicates this to a computer system which includes an RFID-related database and RFID-related applications.

 
图像

图 14.8 RFID 系统的要素

FIGURE 14.8 Elements of an RFID System

 

图 14.9显示了标签的两个关键组件。天线是标签中的金属路径,其布局取决于标签的尺寸和形状以及工作频率。连接到天线的是一个简单的微芯片,其处理和非易失性存储非常有限。

Figure 14.9 shows the two key components of a tag. The antenna is a metallic path in the tag whose layout depends on the size and shape of the tag and the operating frequency. Attached to the antenna is a simple microchip with very limited processing and nonvolatile storage.

 
图像

图 14.9 RFID 标签

FIGURE 14.9 RFID Tag

 

RFID 标签分为有源、半无源或无源(见表14.3)。有源 RFID 标签通过电池产生自己的信号,而无源 RFID 标签则通过撞击标签的射频信号获取能量。半无源标签确实有电池,但其行为与无源标签类似。

RFID tags are classified as active, semi-passive, or passive (see Table 14.3). Active RFID tags produce their own signal from a battery, whereas passive RFID tags obtain their power from an RF signal impinging on the tag. Semi-passive tags do have a battery but behave like passive tags.

 
图像

表 14.3标签类型

TABLE 14.3 Types of Tags

 

有源标签比无源标签昂贵得多,并且通常体积更大。有源标签可以产生更强的信号,因此具有更远的读取范围并且可以高速读取。有源 RFID 是 IEEE 802.15.4f 标准工作的重点。

Active tags are considerably more expensive than passive tags and typically are physically larger. Active tags can generate a stronger signal and thus have a much further read range and can be read at high speed. Active RFIDs are the focus of the IEEE 802.15.4f standards effort.

 

对于自动识别和电子钥匙用途,无源标签是最常见的,因为它们可以制造得足够薄,可以作为标签,而且价格便宜。对于无源标签,阅读器实际上为标签供电,然后标签将其数据发送回阅读器。

For auto-ID and electronic key purposes, passive tags are the most common since they can be fabricated thin enough to be labels and are inexpensive. With a passive tag, the reader actually powers the tag, which then sends back its data to the reader.

 
读者
 

RFID 阅读器通过 RF 通道与标签进行通信。阅读器可以获得简单的识别信息或更复杂的参数集。对话通常是简单的 ping 和响应,但可能涉及更复杂的多重信息交换。

RFID readers communicate with tags through an RF channel. The reader may obtain simple identification information or a more complex set of parameters. The dialogue is often a simple ping and response but may involve a more complex multiple exchange of information.

 

阅读器的功能和基本操作风格多种多样。一般来说,读者分为三类:

There is a wide variety of different readers in terms of functionality and basic operating style. In general, there are three categories of readers:

 

图像 修复:修复了阅读器创建门户,以便在标签经过时自动读取标签。常见的应用是在相关物品进入房间、通过仓库码头门或在传送带上移动时读取标签。

Fixed: Fixed readers create portals for automated reading of tags as they pass by. Common applications are to read tags as the associated items enter a room, pass through warehouse dock doors, or travel on a conveyor line.

 

图像 移动设备:移动阅读器是带有 RFID 天线和阅读器以及一定计算能力的手持设备。它们专为在移动中手动读取标签而设计。它们对于库存应用程序很有用。

Mobile: Mobile readers are hand-held devices with an RFID antenna and reader and some computing capability. They are made for manually reading tags on the move. They are useful for inventory applications.

 

图像 台式机:这种类型的阅读器通常连接到 PC 或销售点终端并提供简单的输入。

Desktop: This type of reader is typically attached to a PC or point-of-sale terminal and provides easy input.

 
工作频率
 

真正的物理标签最大读取距离取决于各个 RFID 阅读器和天线功率、RFID 标签中使用的芯片、标签涂层或覆盖材料的材料和厚度、标签使用的天线类型、标签的材料等。标签被附加到等等。标签和阅读器使用的频率范围是读取范围的限制因素。表 14.4列出了标​​准频率及其各自的无源读取距离。更高的频率提供更大的读取范围和传输更多数据的能力。这些频率也可用于有源标签。此外,有源标签可以使用 433 MHz 和 2.4 GHz 频段,范围可达数百米。

True physical tag maximum read distance is determined by the individual RFID reader and antenna power, the chip used in the RFID tag, the material and thickness of material the tag is coated or covered with, the type of antenna the tag uses, the material the tag is attached to, and so on. The frequency range used by tag and reader is a limiting factor on read range. Table 14.4 lists standard frequencies and their respective passive read distances. Higher frequencies provide greater read range and the ability to transfer greater amounts of data. These frequencies can also be used for active tags. In addition, active tags can use the 433-MHz and 2.4-GHz bands with ranges in the hundreds of meters.

 
图像

表 14.4常见 RFID 工作频率

TABLE 14.4 Common RFID Operating Frequencies

 
功能性
 

顾名思义,RFID 的基本功能是识别带标签的物品。标签可以提供许多与 RFID 技术和系统兼容的其他功能。表 14.5列出了 EPCglobal 标准组定义的六个通用类别。

As the name suggests, the basic functionality of RFID is identification of tagged items. Tags may offer a number of other functionalities that are compatible with the RFID technology and systems. Table 14.5 lists six general classes defined by the standards group EPCglobal.

 
图像

表 14.5标签功能类

TABLE 14.5 Tag Functionality Classes

 

0 类标签提供最基本的识别功能,例如产品代码或唯一标识符。标识符是在制造标签时设置的。这些相当简单且便宜。1 类标签类似,但能够由最终用户在制造后设置识别信息。2 类标签可用作记录设备,其中标记的项目在第一次遇到时被记录到某个系统中,然后根据需要提供识别信息。3 类标签提供两种附加功能:读写存储器和板载传感器功能。传感器标签可以在没有阅读器的帮助下记录和存储环境数据。许多传感器标签可以形成监视物理区域的环境特性的“传感器网络”。这可能包括温度变化、快速加速、方向、振动、生物或化学制剂的存在、光、声音等的变化。由于传感器标签在没有读取器的情况下运行,因此必须是半无源或有源的。

The Class 0 tags provide the most basic identification functionality, such as a product code or a unique identifier. The identifier is set when the tag is manufactured. These are fairly simple and inexpensive. Class 1 Tags are similar but provide the ability to set the identification information after manufacture time by the end user. Class 2 tags may be used as a logging device, in which the tagged item is logged into some system when first encountered and then provides identification information as needed. Class 3 tags provide two additional capabilities: read-write memory and onboard sensor capability. A sensor tag may log and store environmental data without the aid of a reader. Many sensor tags may form a “sensor net” that monitors a physical area’s environmental properties. This may include temperature changes, rapid acceleration, changes in orientation, vibrations, the presence of biological or chemical agents, light, sound, and so on. Because they operate without a reader present, sensor tags must necessarily be semi-passive or active.

 

4 类标签,称为微粒智能灰尘,能够发起与同行的通信并形成自组织网络。这导致了通信范围有限的小型、廉价设备的广泛应用。微粒可以被植入或散布在一个区域来收集数据并将其从一个区域传递到另一个区域到某个中央收集点。例如,农民、葡萄园主或生态学家可以为微尘配备检测温度、湿度等的传感器,使每个微尘成为一个迷你气象站。这些微粒分散在田野、葡萄园或森林中,可以追踪微气候。这远远超出了基本的 RFID 功能,但 EPCglobal 已将其作为功能扩展包含在内。5 类扩展了 4 类,包括一个设备为其他标签供电并与除阅读器之外的设备进行通信的能力。

Class 4 tags, referred to as motes, or smart dust, are able to initiate communication with peers and form ad hoc networks. This leads to a wide variety of applications for small, inexpensive devices with limited communication range. Motes can be implanted or scattered over a region to collect data and pass it on from one to another to some central collection point. For example, a farmer, vineyard owner, or ecologist could equip motes with sensors that detect temperature, humidity, and so forth, making each mote a mini weather station. Scattered throughout a field, vineyard, or forest, these motes would allow the tracking of microclimates. This goes far beyond basic RFID functionality but is included by EPCglobal as a functional extension. Class 5 extends Class 4 to include the ability of one device to provide power to other tags and communicate with devices other than the reader. This opens up even more possibilities.

 

14.4 关键术语

14.4 Key Terms

 

完成本章后,您应该能够定义以下术语。

After completing this chapter, you should be able to define the following terms.

 

准确性

accuracy

 

执行器

actuators

 

应用处理器

application processor

 

专用处理器

dedicated processor

 

深度嵌入式系统

deeply embedded system

 

电子产品代码(EPC)

electronic product code (EPC)

 

嵌入式系统

embedded systems

 

雾计算

fog computing

 

信息技术(IT)

information technology (IT)

 

物联网 (IoT)

Internet of Things (IoT)

 

微控制器

microcontrollers

 

微处理器

microprocessor

 

运营技术(OT)

operational technology (OT)

 

精确

precision

 

射频识别(RFID)

radio-frequency identification (RFID)

 

射频识别阅读器

RFID reader

 

读取范围

read range

 

解决

resolution

 

传感器

sensors

 

射频识别标签

RFID tag

 

收发器

transceiver

 

14.5 参考文献

14.5 References

 

KRAK09 Krakowiak,S.具有模式和框架的中间件架构。2009. http://sardes.inrialpes.fr/%7Ekrakowia/MW-Book/

KRAK09: Krakowiak, S. Middleware Architecture with Patterns and Frameworks. 2009. http://sardes.inrialpes.fr/%7Ekrakowia/MW-Book/

 

MCEW13 McEwen, A. 和 Cassimally, H.设计物联网。纽约:威利,2013。

MCEW13: McEwen, A., and Cassimally, H. Designing the Internet of Things. New York: Wiley, 2013.

 

SCHE13 Scherz, P. 和 Monk, S.发明家实用电子学。纽约:麦格劳-希尔,2013 年。

SCHE13: Scherz, P., and Monk, S. Practical Electronics for Inventors. New York: McGraw-Hill, 2013.

 

STAN14斯坦科维奇,J.“物联网的研究方向”。物联网杂志,卷。1,2014年第1期。

STAN14: Stankovic, J. “Research Directions for the Internet of Things.” Internet of Things Journal, Vol. 1, No. 1, 2014.

 

第 15 章物联网:架构和实现

Chapter 15. The Internet of Things: Architecture and Implementation

 

每当采用思维的逻辑过程时——也就是说,每当思维沿着公认的轨道运行时——机器就有机会。

Whenever logical processes of thought are employed—that is, whenever thought for a time runs along an accepted groove—there is an opportunity for the machine.

 

——“正如我们所想的那样”,万尼瓦尔·布什,《大西洋月刊》,1945 年 7 月

—“As We May Think,” Vannevar Bush, The Atlantic, July 1945

 

本章目标 学习完本章后,您应该能够

 

图像比较和对比 ITU-T 和物联网世界论坛物联网参考模型。

 

图像描述开源 IoTivity 物联网实施。

 

图像描述商业 ioBridge IoT 实施。

 

Chapter Objectives: After studying this chapter, you should be able to

 

Compare and contrast the ITU-T and IoT World Forum IoT reference models.

 

Describe the open source IoTivity IoT implementation.

 

Describe the commercial ioBridge IoT implementation.

 
 

本章总结了物联网 (IoT) 的讨论。首先描述了两个重要的物联网参考模型,它们共同提供了对物联网架构和功能的深入了解。然后本章研究了三种物联网实现,一种是开源的,两种是商业的。

This chapter concludes the discussion of the Internet of Things (IoT). It begins with a description of two important IoT reference models, which together provide insight into the architecture and functioning of an IoT. The chapter then examines three IoT implementations, one open source and two commercial.

 

15.1 物联网架构

15.1 IoT Architecture

 

鉴于物联网的复杂性,拥有一个指定主要元素及其相互关系的架构非常有用。物联网架构具有以下优势:

Given the complexity of IoT, it is useful to have an architecture that specifies the main elements and their interrelationship. An IoT architecture can have the following benefits:

 

图像它为 IT 或网络管理员提供了一个有用的清单,用于评估供应商产品的功能和完整性。

It provides the IT or network manager with a useful checklist with which to evaluate the functionality and completeness of vendor offerings.

 

图像它为开发人员提供有关物联网中需要哪些功能以及这些功能如何协同工作的指导。

It provides guidance to developers as to which functions are needed in an IoT and how these functions work together.

 

图像它可以作为标准化框架,促进互操作性和降低成本。

It can serve as a framework for standardization, promoting interoperability and cost reduction.

 

我们首先概述 ITU-T 开发的物联网架构。然后我们看看物联网世界论坛开发的一项。后一种架构由行业组织开发,为理解物联网的范围和功能提供了一个有用的替代框架。

We begin this section with an overview of the IoT architecture developed by ITU-T. We then look at one developed by IoT World Forum. The latter architecture, developed by an industry group, offers a useful alternative framework for understanding the scope and functionality of IoT.

 

ITU-T 物联网参考模型

ITU-T IoT Reference Model

 

ITU-T IoT 参考模型在 2012 年 6 月的 Y.2060 《物联网概述》中定义。与文献中的大多数其他 IoT 参考模型和架构模型不同,ITU-T 模型详细介绍了实际情况物联网生态系统的物理组成部分。这是一种有用的处理方法,因为它使物联网生态系统中必须互连、集成、管理并可供应用程序使用的元素变得可见。生态系统的详细规范推动了对物联网功能的要求。

The ITU-T IoT reference model is defined in Y.2060, Overview of the Internet of Things, June 2012. Unlike most of the other IoT reference models and architectural models in the literature, the ITU-T model goes into detail about the actual physical components of the IoT ecosystem. This is a useful treatment because it makes visible the elements in the IoT ecosystem that must be interconnected, integrated, managed, and made available to applications. This detailed specification of the ecosystem drives the requirements for the IoT capability.

 

该模型提供的一个重要见解是,物联网实际上并不是物理事物的网络。相反,它是一个与物理事物交互的设备网络,以及与这些设备交互的应用程序平台,例如计算机、平板电脑和智能手机。因此,我们从讨论设备开始概述 ITU-T 模型。

An important insight provided by the model is that the IoT is in fact not a network of physical things. Rather, it is a network of devices that interact with physical things, together with application platforms, such as computers, tablets, and smartphones, that interact with these devices. So, we begin our overview of the ITU-T model with a discussion of devices.

 

表 15.1列出了 Y.2060 中使用的关键术语的定义。

Table 15.1 lists definitions of key terms used in Y.2060.

 
图像

表 15.1 Y.2060 物联网术语

TABLE 15.1 Y.2060 IoT Terminology

 
设备
 

当然,与其他网络系统相比,物联网的独特之处在于除了计算或数据处理设备之外还存在许多物理事物和设备。图 15.1改编自 Y.2060 中的图,显示了 ITU-T 模型中的设备类型。该模型将物联网视为与事物紧密耦合的设备网络。传感器和执行器与环境中的物理事物交互。数据采集​​设备读取数据/写入数据通过与数据承载设备或以某种方式与物理对象连接或关联的数据载体进行交互来实现物理事物。

The unique aspect of IoT, compared to other network systems, of course, is the presence of a number of physical things and devices other than computing or data processing devices. Figure 15.1, adapted from one in Y.2060, shows the types of devices in the ITU-T model. The model views an IoT as functioning as a network of devices that are tightly coupled with things. Sensors and actuators interact with physical things in the environment. Data capturing devices read data from/write data to physical things via interaction with a data carrying device or a data carrier attached or associated in some way with a physical object.

 
图像

图 15.1设备类型及其与物理事物的关系

FIGURE 15.1 Types of Devices and Their Relationship with Physical Things

 

该模型区分了数据承载设备和数据载体。数据承载设备是 Y.2060 意义上的设备。设备至少能够通信并且可以包括其他电子功能。数据承载设备的一个例子是RFID标签。相比之下,数据载体是附加到物理事物上的元件,用于识别或提供某种其他类型的信息。

The model makes a distinction between data carrying devices and data carriers. A data-carrying device is a device in the Y.2060 sense. A device at minimum is capable of communication and may include other electronic capabilities. An example of a data-carrying device is an RFID tag. By contrast, a data carrier is an element attached to a physical thing for the purpose of identification of providing some other sort of information.

 

Y.2060 指出,用于数据捕获设备和数据携带设备或数据载体之间交互的技术包括射频、红外、光学和电流驱动。每个示例包括以下内容:

Y.2060 notes that technologies used for interaction between data-capturing devices and data-carrying devices or data carriers include radio frequency, infrared, optical, and galvanic driving. Examples of each include the following:

 

图像 射频: RFID 标签就是一个例子。

Radio frequency: An RFID tag is an example.

 

图像 红外线:红外线徽章用于军事、医院和其他需要跟踪人员位置和活动的环境。例子包括军队使用的红外反射贴片和发射识别信息的电池供电徽章。后者可以包括一个必须按下的按钮,以便徽章可以用作通过门户的手段,以及自动重复信号作为跟踪人员的手段的徽章。家庭或其他环境中用于控制电子设备的远程控制设备也可以轻松集成到物联网中。

Infrared: Infrared badges are in use in military, hospital, and other settings where the location and movement of personnel needs to be tracked. Examples include infrared reflective patches used by the military and battery-operated badges that emit identifying information. The latter can include a button that must be pressed so that the badge can be used as a means of passing through a portal, and a badge that automatically repeats the signal as a means of tracking personnel. Remote control devices used in the home or other settings to control electronic devices can also easily be incorporated into an IoT.

 

图像 光学:条形码和 QR 码是可光学读取的识别数据载体的示例。

Optical: Bar codes and QR codes are examples of identifying data carriers that can be read optically.

 

图像 电流驱动:一个例子是利用人体导电特性的植入医疗设备 [ FERG11 ]。在植入物到表面的通信中,电流耦合用于将信号从植入的设备发送到皮肤上的电极。该方案使用的功率非常少,并且减小了植入设备的尺寸和复杂性。

Galvanic driving: An example of this is implanted medical devices that use the conductive properties of the body [FERG11]. In implant-to-surface communication, galvanic coupling is used to send signals from an implanted device to electrodes on the skin. This scheme uses very little power and reduces the size and complexity of the implanted device.

 

图 15.1所示的最终设备类型是通用设备。这些设备具有处理和通信能力,可以集成到物联网中。一个很好的例子是智能家居技术,它几乎可以将家庭中的所有设备集成到网络中以进行中央或远程控制。

The final type of device shown in Figure 15.1 is the general device. These are devices with processing and communications capability that can be incorporated into an IoT. A good example is smart home technology that can integrate virtually every device in the home into a network for central or remote control.

 

图 15.2概述了物联网中感兴趣的元素。物理设备的各种连接方式如图左侧所示。假设一个或多个网络支持设备之间的通信。

Figure 15.2 provides an overview of the elements of interest in IoT. The various ways that physical devices can be connected are shown on the left side of the figure. It is assumed that one or multiple networks support communication among the devices.

 
图像

图 15.2物联网技术概述 (Y.2060)

FIGURE 15.2 Technical Overview of the IoT (Y.2060)

 

图 15.2介绍了另一种与 IoT 相关的设备:网关。网关至少充当协议转换器。网关解决了物联网设计中最大的挑战之一,即设备之间以及设备之间的连接。设备和互联网或企业网络。智能设备支持多种无线和有线传输技术和网络协议。此外,这些设备通常具有有限的处理能力。Y.2067,物联网应用网关的常见要求和功能,2014 年 6 月,列出了物联网网关的要求,通常分为三类:

Figure 15.2 introduces one additional IoT-related device: the gateway. At a minimum, a gateway functions as a protocol translator. Gateways address one of the greatest challenges in designing for IoT, which is connectivity, both among devices and between devices and the Internet or enterprise network. Smart devices support a wide variety of wireless and wired transmission technologies and networking protocols. Further, these devices typically have limited processing capability. Y.2067, Common Requirements and Capabilities of a Gateway for Internet of Things Applications, June 2014, lays out the requirements for IoT gateways, which generally fall into three categories:

 

图像该网关支持多种设备访问技术,使设备能够相互通信,并通过物联网应用程序跨互联网或企业网络进行通信。例如,接入方案可以包括 ZigBee、蓝牙和 Wi-Fi。

The gateway supports a variety of device access technologies, enabling devices to communicate with each other and across an Internet or enterprise network with IoT applications. The access schemes could include, for example, ZigBee, Bluetooth, and Wi-Fi.

 

图像该网关支持局域网和广域网所需的网络技术。这些可能包括本地以太网和 Wi-Fi,以及蜂窝、以太网、数字用户线路 (DSL) 以及对互联网和广域企业网络的电缆访问。

The gateway supports the necessary networking technologies for both local and wide-area networking. These could include Ethernet and Wi-Fi on the premises, and cellular, Ethernet, digital subscriber line (DSL), and cable access to the Internet and wide-area enterprise networks.

 

图像网关支持与应用程序、网络管理和安全功能的交互。

The gateway supports interaction with application, network management, and security functions.

 

前两个要求涉及不同网络技术和协议套件之间的协议转换。第三个要求通常称为物联网代理功能。本质上,物联网代理代表物联网设备提供更高级别的功能,例如组织/汇总来自多个设备的数据以传递到物联网应用程序、实施安全协议和功能以及与网络管理系统交互。

The first two requirements involve protocol translation between different network technologies and protocol suites. The third requirement is generally referred to as an IoT agent function. In essence, the IoT agent provides higher-level functionality on behalf of IoT devices, such as organizing/summarizing data from multiple devices to pass on to IoT applications, implementing security protocols and functions, and interacting with network management systems.

 

此时需要注意的是,Y.206x系列物联网标准中并未直接定义通信网络这一术语。一个或多个通信网络支持设备之间的通信并且可以直接支持应用平台。这可能是小型物联网的范围,例如智能设备的家庭网络。更一般地说,设备网络连接到企业网络或互联网,以便与托管应用程序的系统和托管与物联网相关的数据库的服务器进行通信。

At this point, it should be noted that the term communication network is not directly defined in the Y.206x series of IoT standards. The communication network or networks supports communication among devices and may directly support application platforms. This may be the extent of a small IoT, such as a home network of smart devices. More generally, the device networks connect to enterprise networks or the Internet for communication with systems that host apps and servers that host databases related to the IoT.

 

现在我们可以回到图15.2的左侧,它说明了设备之间通信的可能性。第一种可能性是通过网关在设备之间进行通信。例如,具有蓝牙功能的传感器或执行器可以通过网关与使用Wi-Fi的数据采集设备或通用设备进行通信。第二种可能性是在没有网关的情况下通过通信网络进行通信。例如,智能家庭网络中的所有设备都可以使用蓝牙,并且可以通过支持蓝牙的计算机、平板电脑或智能手机进行管理。第三种可能性是设备通过单独的本地网络直接相互通信,然后(图中未示出)经由本地网络网关通过通信网络进行通信。一个例子第三种可能性如下:可以将许多低功耗传感器设备部署在扩展区域,例如农田或工厂。它们可以相互通信,以将数据传递到连接到通信网络网关的设备。

We can now return to the left side of Figure 15.2, which illustrates the communication possibilities among devices. The first possibility is for communication between devices via the gateway. For example, a sensor or actuator with Bluetooth capability could communicate with a data-capturing device or general device that uses Wi-Fi by means of the gateway. The second possibility is communication across the communication network without a gateway. For example, all the devices in a smart home network may use Bluetooth and could be managed from a Bluetooth-enabled computer, tablet, or smartphone. The third possibility is devices that communicate directly with each other through a separate local network and then (not shown in the figure) communicate through the communication network via a local network gateway. An example of this third possibility is the following: A number of low-power sensor devices could be deployed in an extended area, such as farmland or a factory. These could communicate with one another to pass data on toward a device connected to a gateway to the communication network.

 

图 15.2的右侧强调了物联网中的每个物理事物在信息世界中都可以由一个或多个虚拟事物表示,但虚拟事物也可以在没有任何相关物理事物的情况下存在。物理事物被映射到存储在数据库和其他数据结构中的虚拟事物。应用程序处理和处理虚拟事物。

The right side of Figure 15.2 emphasizes that each physical thing in an IoT may be represented in the information world by one or more virtual things but a virtual thing can also exist without any associated physical thing. Physical things are mapped to virtual things stored in databases and other data structures. Applications process and deal with virtual things.

 
参考模型
 

图15.3描述了ITU-T物联网参考模型,该模型由四层以及跨层应用的管理功能和安全功能组成。到目前为止我们一直在考虑设备层。就通信功能而言,设备层大致包括OSI物理层和数据链路层。我们现在看看其他层。

Figure 15.3 depicts the ITU-T IoT reference model, which consists of four layers as well as management capabilities and security capabilities that apply across layers. We have so far been considering the device layer. In terms of communications functionality, the device layer includes, roughly, the OSI physical and data link layers. We now look at the other layers.

 
图像

图 15.3 ITU-T Y.2060 物联网参考模型

FIGURE 15.3 ITU-T Y.2060 IoT Reference Model

 

网络执行两个基本功能。网络能力是指设备和网关的互连。传输能力是指物联网服务和应用特定信息以及物联网相关控制和管理信息的传输。粗略地说,这些对应于 OSI 网络和传输层。

The network layer performs two basic functions. Networking capabilities refer to the interconnection of devices and gateways. Transport capabilities refer to the transport of IoT service and application specific information as well as IoT-related control and management information. Roughly, these correspond to OSI network and transport layers.

 

服务支持和应用程序支持层提供应用程序使用的功能。通用支持功能可以被许多不同的人使用应用程序。示例包括常见的数据处理和数据库管理功能。特定支持功能是指满足物联网应用特定子集要求的功能。

The service support and application support layer provides capabilities that are used by applications. Generic support capabilities can be used by many different applications. Examples include common data processing and database management capabilities. Specific support capabilities are those that cater for the requirements of a specific subset of IoT applications.

 

应用由与物联网设备交互的所有应用程序组成。

The application layer consists of all the applications that interact with IoT devices.

 

管理能力层涵盖传统的面向网络的故障、配置、计费、性能管理等管理功能。Y.2060 列出了以下通用支持功能的示例:

The management capabilities layer covers the traditional network-oriented management functions of fault, configuration, accounting, and performance management. Y.2060 lists the following as examples of generic support capabilities:

 

图像 设备管理:如设备发现、认证、远程设备激活和去激活、配置、诊断、固件/软件更新、设备工作状态管理

Device management: Such as device discovery, authentication, remote device activation and de-activation, configuration, diagnostics, firmware/software updating, device working status management

 

图像 本地网络拓扑管理:如网络配置管理

Local network topology management: Such as network configuration management

 

图像 流量和拥塞管理:例如网络溢出情况的检测以及对时间关键/生命关键的数据流实施资源预留

Traffic and congestion management: Such as the detection of network overflow conditions and the implementation of resource reservation for time-critical/life-critical data flows

 

特定的管理功能是针对特定类别的应用程序量身定制的。一个例子是智能电网输电线路监控。

Specific management capabilities are tailored to specific classes of applications. An example is smart grid power transmission line monitoring.

 

安全功能层包括独立于应用程序的通用安全功能。Y.2060 列出了以下通用安全功能的示例:

The security capabilities layer includes generic security capabilities that are independent of applications. Y.2060 lists the following as examples of generic security capabilities:

 

图像 应用层:授权、认证、应用数据机密性和完整性保护、隐私保护、安全审计、防病毒

Application layer: Authorization, authentication, application data confidentiality and integrity protection, privacy protection, security audit, and antivirus

 

图像 网络层:授权、认证、用户数据和信令数据机密性、信令完整性保护

Network layer: Authorization, authentication, user data and signaling data confidentiality, and signaling integrity protection

 

图像 设备层:身份验证、授权、设备完整性验证、访问控制、数据机密性和完整性保护

Device layer: Authentication, authorization, device integrity validation, access control, data confidentiality, and integrity protection

 

具体的安全能力与具体的应用需求相关,比如移动支付的安全需求。

Specific security capabilities relate to specific application requirements, such as mobile payment security requirements.

 

物联网世界论坛参考模型

IoT World Forum Reference Model

 

物联网世界论坛 (IWF) 是一项由行业主办的年度活动,汇集了企业、政府和学术界的代表,旨在促进物联网的市场采用。由IBM、Intel、Cisco等行业领导者组成的物联网世界论坛架构委员会于2014年10月发布了物联网参考模型。该模型作为通用框架,帮助业界加速物联网的发展部署。该参考模型旨在促进协作并鼓励开发可复制的部署模型。

The IoT World Forum (IWF) is an industry-sponsored annual event that brings together representatives of business, government, and academia to promote the market adoption of IoT. The IoT World Forum Architecture Committee, made up of industry leaders including IBM, Intel, and Cisco, released an IoT reference model in October 2014. This model serves as a common framework to help the industry accelerate IoT deployments. The reference model is intended to foster collaboration and encourage the development of replicable deployment models.

 
图像

物联网世界论坛

IoT World Forum

 

该参考模型是对 ITU-T 参考模型的有用补充。ITU-T 文档重点关注设备和网关级别,仅对上层进行了广泛描述。确实,Y.2060用一句话描述了应用层。ITU-T Y.206x 系列似乎最关心的是定义一个框架来支持物联网设备交互标准的开发。IWF 关注更广泛的问题,即为基于企业的物联网开发应用程序、中间件和支持功能。

This reference model is a useful complement to the ITU-T reference model. The ITU-T documents focus on the device and gateway level with only a broad depiction of the upper layers. Indeed, Y.2060 describes the application layer with a single sentence. The ITU-T Y.206x series seems most concerned with defining a framework to support development of standards for interaction with IoT devices. The IWF is concerned with the broader issue of developing the applications, middleware, and support functions for an enterprise-based IoT.

 

图 15.4描述了七层模型。思科发布的IWF模型白皮书[ CISC14b ]指出,该模型设计具有以下特点:

Figure 15.4 depicts the seven-level model. The white paper in the IWF model issued by Cisco [CISC14b] indicates that the model is designed to have the following characteristics:

 
图像

图 15.4物联网世界论坛参考模型

FIGURE 15.4 IoT World Forum Reference Model

 

图像 简化:它有助于分解复杂的系统,使每个部分更容易理解。

Simplifies: It helps break down complex systems so that each part is more understandable.

 

图像 澄清:它提供了额外的信息来精确识别物联网的级别并建立通用术语。

Clarifies: It provides additional information to precisely identify levels of the IoT and to establish common terminology.

 

图像 识别:它识别系统不同部分的特定类型处理的优化位置。

Identifies: It identifies where specific types of processing is optimized across different parts of the system.

 

图像 标准化:它为供应商创建可相互协作的物联网产品迈出了第一步。

Standardizes: It provides a first step in enabling vendors to create IoT products that work with each other.

 

图像 组织:它使物联网变得真实且平易近人,而不仅仅是概念性的。

Organizes: It makes the IoT real and approachable, instead of simply conceptual.

 
物理设备和控制器级别
 

第 1 级由物理设备和可能控制多个设备的控制器组成。IWF 模型的级别 1 大致对应于 ITU-T 模型的设备级别(图 15.3)。与 ITU-T 模型一样,该级别的元素本身并不是物理事物,而是与物理事物交互的设备,例如传感器和执行器。设备可能具有的功能包括模数和数模转换、数据生成以及远程查询/控制的能力。

Level 1 consists of physical devices and controllers that might control multiple devices. Level 1 of the IWF model corresponds approximately to the device level of the ITU-T model (Figure 15.3). As with the ITU-T model, the elements at this level are not physical things as such, but rather devices that interact with physical things, such as sensors and actuators. Among the capabilities that devices may have are analog-to-digital and digital-to-analog conversion, data generation, and the ability to be queried/controlled remotely.

 
连接级别
 

从逻辑的角度来看,该级别实现设备之间的通信以及设备之间的通信以及发生在级别 3 的低级处理。从物理的角度来看,该级别由网络设备组成,例如路由器、交换机、网关,以及用于构建局域网和广域网并提供互联网连接的防火墙。这一层使设备能够相互通信,并通过上层逻辑层与计算机、远程控制设备和智能手机等应用平台进行通信。

From a logical point of view, this level enables communication between devices and communication between devices and the low-level processing that occurs at level 3. From a physical point of view, this level consists of networking devices, such as routers, switches, gateways, and firewalls that are used to construct local and wide-area networks and provide Internet connectivity. This level enables devices to communicate with one another and to communicate, via the upper logical levels, with application platforms such as computers, remote control devices, and smartphones.

 

IWF 模型的级别 2 大致对应于 ITU-T 模型的网络级别。主要区别在于 IWF 模型包括第 2 级网关,而 ITU-T 模型将网关置于第 1 级。由于网关是网络和连接设备,因此它的放置和第 2 级似​​乎更有意义。

Level 2 of the IWF model corresponds approximately to the network level of the ITU-T model. The main difference is that the IWF model includes gateways in level 2 whereas the ITU-T model puts the gateway at level 1. Because the gateway is a networking and connectivity device, its placement and level 2 seems to make more sense.

 
边缘计算级别
 

在许多物联网部署中,分布式传感器网络可能会生成大量数据。例如,海上油田和炼油厂每天可以生成 TB 的数据。一架飞机每小时可以产生数TB的数据。通常希望在尽可能靠近传感器的地方进行尽可能多的数据处理,而不是将所有数据永久(或至少长期)存储在物联网应用程序可访问的中央存储中。因此,边缘计算级别的目的是将网络数据流转换为适合存储和更高级别处理的信息。此级别的处理元件可能会处理大量数据数据并执行数据转换操作,从而存储更少的数据量。思科关于 IWF 模型的白皮书 [ CISC14b ] 列出了以下边缘计算操作的示例:

In many IoT deployments, massive amounts of data may be generated by a distributed network of sensors. For example, offshore oil fields and refineries can generate a terabyte of data per day. An airplane can create multiple terabytes of data per hour. Rather than store all of that data permanently (or at least for a long period) in central storage accessible to IoT applications, it is often desirable to do as much data processing close to the sensors as possible. Thus, the purpose of the edge computing level is to convert network data flows into information that is suitable for storage and higher level processing. Processing elements at this level may deal with high volumes of data and perform data transformation operations, resulting in the storage of much lower volumes of data. The Cisco white paper on the IWF model [CISC14b] lists the following examples of edge computing operations:

 

图像 评估:评估数据是否应在更高级别进行处理的标准

Evaluation: Evaluating data for criteria as to whether it should be processed at a higher level

 

图像 格式化:重新格式化数据以实现一致的更高级别处理

Formatting: Reformatting data for consistent higher-level processing

 

图像 扩展/解码:使用附加上下文(例如来源)处理神秘数据

Expanding/decoding: Handling cryptic data with additional context (such as the origin)

 

图像 蒸馏/缩减:缩减/汇总数据,以最大程度地减少数据和流量对网络和更高级别处理系统的影响

Distillation/reduction: Reducing/summarizing data to minimize the impact of data and traffic on the network and higher-level processing systems

 

图像 评估:确定数据是否代表阈值或警报;这可能包括将数据重定向到其他目的地

Assessment: Determining whether data represents a threshold or alert; this could include redirecting data to additional destinations

 

该级别的处理元件对应于ITU-T模型中的通用设备(图15.1表15.1)。通常,它们物理部署在物联网网络边缘附近;也就是说,靠近传感器和其他数据生成设备。因此,大量生成数据的一些基本处理工作被卸载并外包给位于中心的物联网应用软件。

Processing elements at this level correspond to general devices in the ITU-T model (Figure 15.1; Table 15.1). Generally, they are deployed physically near the edge of the IoT network; that is, near the sensors and other data-generating devices. So, some of the basic processing of large volumes of generated data is offloaded and outsourced from IoT application software located at the center.

 

边缘计算级别的处理有时称为雾计算。雾计算和雾服务预计将成为物联网的显着特征。图15.5说明了这个概念。雾计算代表了现代网络中与云计算相反的趋势。借助云计算,可以通过云网络设施向相对较少数量的用户提供大量集中式存储和处理资源。通过雾计算,大量单独的智能对象与雾网络设施互连,这些设施提供靠近物联网边缘设备的处理和存储资源。雾计算解决了数千或数百万智能设备活动带来的挑战,包括安全、隐私、网络容量限制和延迟要求。雾计算一词的灵感来源于这样一个事实:雾往往盘旋在地面较低的位置,而云则在天空的高处。

Processing at the edge computing level is sometimes referred to as fog computing. Fog computing and fog services are expected to be a distinguishing characteristic of the IoT. Figure 15.5 illustrates the concept. Fog computing represents an opposite trend in modern networking from cloud computing. With cloud computing, massive, centralized storage and processing resources are made available to distributed customers over cloud networking facilities to a relatively small number of users. With fog computing, massive numbers of individual smart objects are interconnected with fog networking facilities that provide processing and storage resources close to the edge devices in an IoT. Fog computing addresses the challenges raised by the activity of thousand or millions of smart devices, including security, privacy, network capacity constraints, and latency requirements. The term fog computing is inspired by the fact that fog tends to hover low to the ground, whereas clouds are high in the sky.

 
图像

图 15.5雾计算

FIGURE 15.5 Fog Computing

 

表 15.2基于 Vaquero 和 Rodero-Merino 的一篇论文 [ VAQU14 ],比较了云计算和雾计算。

Table 15.2, based on one in a paper by Vaquero and Rodero-Merino [VAQU14], compares cloud and fog computing.

 
图像

表 15.2云和雾特征的比较

TABLE 15.2 Comparison of Cloud and Fog Features

 
数据积累水平
 

该级别是来自众多设备并由边缘计算级别过滤和处理的数据放置在较高级别可以访问的存储中。这个级别标志着低层(雾)计算和上层(通常是云)计算在设计问题、要求和处理方法上的明显区别。

This level is where data coming from the numerous devices, and filtered and processed by the edge computing level, is placed in storage that will be accessible by higher levels. This level marks a clear distinction in the design issues, requirements, and method of processing between lower-level (fog) computing and upper-level (typically cloud) computing.

 

通过网络移动的数据称为运动中的数据。运动数据的速率和组织由生成数据的设备决定。数据生成是事件驱动的,周期性地或由环境中的事件驱动。为了捕获数据并以某种方式处理它,有必要实时响应。相比之下,大多数应用程序不需要以网络传输速度处理数据。实际上,云网络和应用平台都无法跟上大量物联网设备产生的数据量。相反,应用程序处理静态数据,这是一些易于访问的存储设施中的数据。应用程序可以根据需要以非实时方式访问数据。因此,较高的级别在查询或事务的基础上操作,而较低的三个级别在事件的基础上操作。

Data moving through a network is referred to as data in motion. The rate and organization of the data in motion is determined by the devices generating the data. Data generation is event driven, either periodically or by an event in the environment. To capture the data and deal with it in some fashion, it is necessary to respond in real time. By contrasts, most applications do not need to process data at network transfer speeds. As a practical matter, neither the cloud network nor the application platforms would be able to keep up with data volume generated by a huge number of IoT devices. Instead, applications deal with data at rest, which is data in some readily accessible storage facility. Applications can access the data as needed, on a non-real-time basis. Thus, the upper levels operate on a query or transaction basis, whereas the lower three levels operate on an event basis.

 

思科关于 IWF 模型 [ CISC14b ]的白皮书列出了以下在数据累积级别执行的操作:

The Cisco white paper on the IWF model [CISC14b] lists the following as operations performed at the data accumulation level:

 

1.将动态数据转换为静态数据

1. Converts data-in-motion to data-at-rest

 

2.将网络数据包格式转换为数据库关系表

2. Converts format from network packets to database relational tables

 

3.实现从基于事件的计算到基于查询的计算的转变

3. Achieves transition from event based to query based computing

 

4.通过过滤和选择性存储大幅减少数据

4. Dramatically reduces data through filtering and selective storing

 

另一种看待数据积累水平的方式是,它标志着ITOT之间的界限。

Another way of viewing the data accumulation level is that it marks the boundary between IT and OT.

 
数据抽象级别
 

数据积累级别吸收大量数据并将其存储起来,很少或根本没有针对特定应用程序或应用程序组进行定制。边缘计算级别可能会产生不同格式和来自异构处理器的多种不同类型的数据进行存储。数据抽象级别可以聚合和格式化这些数据,使应用程序的访问更易于管理和更高效。涉及的任务可能包括以下内容:

The data accumulation level absorbs large quantities of data and places them in storage, with little or no tailoring to specific applications or groups of applications. A number of different types of data in varying formats and from heterogeneous processors may be coming up from the edge computing level for storage. The data abstraction level can aggregate and format this data in ways that make access by applications more manageable and efficient. Tasks involved could include the following:

 

1.结合多个来源的数据。这包括协调多种数据格式。

1. Combining data from multiple sources. This includes reconciling multiple data formats.

 

2.执行必要的转换以提供跨源数据的一致语义。

2. Perform necessary conversions to provide consistent semantics of data across sources.

 

3.将格式化数据放入适当的数据库中。例如,大量重复数据可能会进入 Hadoop 等大数据系统。事件数据将被引导至关系数据库管理系统,该系统为此类数据提供更快的查询时间和适当的接口。

3. Place formatted data in appropriate database. For example, high-volume repetitive data may go into a big data system such as Hadoop. Event data would be steered to a relational database management system, which provides faster query times and an appropriate interface for this type of data.

 

4.警告更高级别的应用程序数据已完成或已累积到定义的阈值。

4. Alerting higher-level applications that data is complete or had accumulated to a defined threshold.

 

5.将数据整合到一处(使用 ETL [提取、转换、加载]、ELT [提取、加载、转换] 或数据复制)或通过数据虚拟化提供对多个数据存储的访问。

5. Consolidating data into one place (with ETL [extract, transform, load], ELT [extract, load, transform], or data replication) or providing access to multiple data stores through data virtualization.

 

6.通过适当的身份验证和授权来保护数据。

6. Protecting data with appropriate authentication and authorization.

 

7.规范化或非规范化以及索引数据以提供快速的应用程序访问。

7. Normalizing or denormalizing and indexing data to provide fast application access.

 
应用层
 

此级别包含使用 IoT 输入或控制 IoT 设备的任何类型的应用程序。通常,应用程序与级别 5 和静态数据交互,因此不必以网络速度运行。应提供简化的操作,允许应用程序绕过中间层并直接与第 3 层甚至第 2 层交互。IWF 模型没有严格定义应用程序,考虑到这超出了 IWT 模型讨论的范围。

This level contains any type of application that uses IoT input or controls IoT devices. Generally, the applications interact with level 5 and the data at rest, and so do not have to operate at network speeds. Provision should be available for streamlined operation that allows applications to bypass intermediate layers and interact directly with Layer 3 or even Layer 2. The IWF model does not strictly define applications, considering this beyond the scope of IWT model discussion.

 
协作和流程级别
 

这一级别认识到人们必须能够沟通和协作才能使物联网变得有用。这可能涉及多个应用程序以及通过互联网或企业网络交换数据和控制信息。

This level recognizes the fact that people must be able to communicate and collaborate to make an IoT useful. This may involve multiple applications and exchange of data and control information across the Internet or an enterprise network.

 
IoT 参考模型摘要
 

IWF 将物联网参考模型视为行业公认的框架,旨在标准化与物联网相关的概念和术语。更重要的是,IWF 模型列出了行业实现物联网价值之前所需的功能和必须解决的问题。该模型对于在模型中开发功能元素的供应商和用于开发其需求和评估供应商产品的客户都很有用。

The IWF views the IoT reference model as an industry-accepted framework aimed at standardizing the concepts and terminology associated with IoT. More importantly, the IWF model sets out the functionalities required and concerns that must be addressed before the industry can realize the value of the IoT. This model is useful both for suppliers who develop functional elements within the model and customers for developing their requirements and evaluating vendor offerings.

 

图 15.6改编自思科有关 IWF 模型 [ CISC14c ] 的演示文稿,汇集了 IWF 模型中的关键概念。

Figure 15.6, adapted from one in a Cisco presentation on the IWF model [CISC14c], pulls together the key concepts in the IWF model.

 
图像

图 15.6物联网世界论坛参考模型:基本前提

FIGURE 15.6 IoT World Forum Reference Model: Basic Premises

 

15.2 物联网实施

15.2 IoT Implementation

 

上一节介绍了两个参考模型,它们很好地概述了物联网设计中所需的功能。本节通过研究三个实施工作来讨论部署物联网设备和软件的实际问题。首先,我们研究一个开源软件计划,然后研究两个供应商的产品。

The preceding section looked at two reference models, which provide a good overview of the desired functionality in an IoT design. This section turns to the practical issue of deploying IoT devices and software, by looking at three implementation efforts. First, we examine an open source software initiative, and then look at two vendor offerings.

 

物联网能力

IoTivity

 

IoTivity 是一项开源软件计划。他们的目标是提供标准和开源实现,以便设备和服务能够协同工作,无论是谁制造的。

IoTivity is an open source software initiative. Their objective is to provide a standard and open source implementation so devices and services will be able to work together regardless of who makes them.

 
图像

物联网能力

IoTivity

 

两个组织在 IoTivity 项目中发挥着关键作用。该项目由开放互连联盟 (OIC) 赞助。OIC 是一个行业联盟,其目的是促进开源实施,以提高构成物联网的数十亿设备之间的互操作性。为此,OIC 正在致力于开发标准和总体框架,以建立涵盖多个垂直市场和用例之间的互操作性的单一解决方案。IoTivity 项目的章程是开发和维护符合 OIC 最终规范并通过 OIC 认证测试的开源实现。

Two organizations are playing a key role in the IoTivity project. The project is sponsored by the Open Interconnect Consortium (OIC). OIC is an industry consortium whose purpose is to promote an open source implementation to improve interoperability between the billions of devices making up the IoT. To this end, OIC is working on developing standards and an overall framework that will establish a single solution covering interoperability across multiple vertical markets and use cases. The charter of the IoTivity project is to develop and maintain an open source implementation compliant with OIC final specifications and which passes OIC certification testing.

 
图像

开放互连联盟

Open Interconnect Consortium

 

IoTivity 项目由 Linux 基金会主办,该基金会是一个致力于促进 Linux 发展和协作开发的非营利联盟。作为 Linux 基金会的一个项目,IoTivity 由一个与 OIC 合作的独立指导小组监督。想要参与该项目的开发人员可以访问基于 RESTful 的应用程序编程接口 (API),并通过项目的服务器提交代码以供同行评审。它将适用于多种编程语言、操作系统和硬件平台。

The IoTivity Project is hosted by the Linux Foundation, the nonprofit consortium dedicated to fostering the growth of Linux and collaborative development. As a Linux Foundation project, IoTivity is overseen by an independent steering group that will work with the OIC. Developers who want to get involved with the project can access RESTful-based application programming interfaces (APIs) and submit code for peer review through the project’s server. It will be made available across a range of programming languages, operating systems, and hardware platforms.

 
图像

Linux基金会

Linux Foundation

 

尽管在撰写本文时 OIC 尚未发布任何规范,但 IoTivity 已着手开发其开源代码的初始“预览”版本。初始版本包括 Linux、Arduino 和 Tizen 的构建和入门指南。该代码被设计为可移植的,未来的版本将包括针对其他操作系统的构建。

Although OIC, at the time of this writing, has not released any specifications, IoTivity has moved forward with developing an initial “preview” release of its open source code. The initial release includes builds and Getting Started Guides for Linux, Arduino, and Tizen. The code is designed to be portable and future releases will include builds for additional operating systems.

 
协议架构
 

IoTivity 软件提供了许多可在物联网设备和应用程序平台中实现的通用查询/响应功能。

The IoTivity software provides a number of general-purpose query/response functions to be implemented in IoT devices and in application platforms.

 

IoTivity 区分了受限设备和非受限设备。物联网中的许多设备,尤其是体积较小、数量较多的设备,都受到资源的限制。正如 Seghal 等人的论文 [ SEGH12 ] 所指出的那样,遵循摩尔定律的技术改进继续使嵌入式设备成为可能更便宜、更小、更节能,但不一定更强大。典型的嵌入式物联网设备配备 8 位或 16 位微控制器,其 RAM 和存储容量非常小。资源受限的设备通常配备 IEEE 802.15.4 无线电,可实现数据速率为 20 至 250 kbps 且帧大小高达 127 个八位位组的低功耗低数据速率无线个域网 (WPAN)。

IoTivity makes a distinction between a constrained device and an unconstrained device. Many devices in the IoT, particularly the smaller, more numerous devices, are resource constrained. As pointed out in a paper by Seghal, et al [SEGH12], technology improvements following Moore’s law continue to make embedded devices cheaper, smaller, and more energy-efficient but not necessarily more powerful. Typical embedded IoT devices are equipped with 8- or 16-bit microcontrollers that possess very little RAM and storage capacities. Resource-constrained devices are often equipped with an IEEE 802.15.4 radio, which enables low-power low-data-rate wireless personal-area networks (WPANs) with data rates of 20 to 250 kbps and frame sizes of up to 127 octets.

 

术语“无约束设备”仅指没有严格资源约束的任何设备。此类设备可能运行通用操作系统,例如 iOS、Android、Linux 或 Windows。不受约束的设备将包括具有大量处理能力和内存的物联网设备,以及物联网应用程序的应用程序平台。

The term unconstrained device simply refers to any device without severe resources constraints. Such devices might run a general-purpose operating system, such as iOS, Android, Linux, or Windows. Unconstrained devices would include IoT devices with a good amount of processing power and memory, and application platforms for IoT applications.

 

为了适应受限设备,总体协议架构(见图15.7)在受限和非受限设备中实现。在传输级别,该软件依赖于用户数据报协议 (UDP),该协议需要最少的处理能力和内存,并在互联网协议 (IP) 之上运行。运行在 UDP 之上的是受限应用协议 (CoAP),它是专为受限设备设计的简化查询/响应协议,随后将对其进行描述。IoTivity 实现使用 libcoap,它是 CoAP 的 C 实现,可在受约束和不受约束的设备上使用。

To accommodate constrained devices, the overall protocol architecture (see Figure 15.7) is implemented in both constrained and unconstrained devices. At the transport level, the software relies on User Datagram Protocol (UDP), which requires minimal processing power and memory, running on top of Internet Protocol (IP). Running on top of UDP is the Constrained Application Protocol (CoAP), which is a simplified query/response protocol designed for constrained devices, and which is described subsequently. The IoTivity implementation uses libcoap, which is a C implementation of CoAP that can be used both on constrained and unconstrained devices.

 
图像

图 15.7 IoTivity 堆栈块

FIGURE 15.7 IoTivity Stack Blocks

 

IoTivity 基础是一组软件开发工具,支持创建用于托管 IoT 应用程序的客户端和作为 IoT 设备的服务器之间通信的应用程序。基础是用 C 实现的,附加工具是适用于无约束设备的 C++。该软件是开发开源应用程序的基础,这些应用程序将成为 IoTivity 包的一部分,此外还有供应商开发的专有增值应用程序。

The IoTivity base is a set of software development tools that support the creation of applications for communication between clients that host IoT applications and servers, which are IoT devices. The base is implemented in C, with additional tools in C++ for unconstrained devices. This software is a base for the development of open source applications that will be part of the IoTivity package, in addition to proprietary, value-added applications developed by vendors.

 
受限应用协议
 

CoAP 在 RFC 7252(受限应用协议)中定义,2014 年 6 月。RFC 将 CoAP 描述为一种专门的 Web 传输协议,用于物联网中的受限节点和受限网络。该协议专为智能能源和楼宇自动化等机器对机器 (M2M) 应用而设计。CoAP 提供应用程序端点之间的请求/响应交互模型,支持服务和资源的内置发现,并包括 Web 的关键概念,例如 URI 和 Internet 媒体类型。CoAP 旨在轻松与 HTTP 连接以与 Web 集成,同时满足多播支持、极低开销以及受限环境的简单性等特殊要求。

CoAP is defined in RFC 7252, The Constrained Application Protocol, June 2014. The RFC describes CoAP as a specialized web transfer protocol for use with constrained nodes and constrained networks in the IoT. The protocol is designed for machine-to-machine (M2M) applications such as smart energy and building automation. CoAP provides a request/response interaction model between application endpoints, supports built-in discovery of services and resources, and includes key concepts of the web such as URIs and Internet media types. CoAP is designed to easily interface with HTTP for integration with the web while meeting specialized requirements such as multicast support, very low overhead, and simplicity for constrained environments.

 
图像

合作协议网站

CoAP website

 

尽管 CoAP 专为在受限设备中简化使用而设计,但该协议及其所有功能却极其复杂。RFC 7252 有 112 页长。在这里我们提供一个简短的概述。

Although CoAP is designed for streamlined use in constrained devices, the protocol, with all its features, is surprisingly complex; RFC 7252 is 112 pages long. Here we provide a brief overview.

 

一种有启发性的开始方式是描述协议消息格式,如图15.8所示。消息分为三类:Request、Response 和 Empty,它们都使用相同的格式。所有消息均以 32 位固定标头开头,其中包含以下字段:

An instructive way to begin is to describe the protocol message format, shown in Figure 15.8. There are three categories of messages: Request, Response, and Empty, all of which use the same format. All messages begin with a 32-bit fixed header consisting of the following fields:

 
图像

图 15.8 CoAP 格式

FIGURE 15.8 CoAP Formats

 

图像 版本:当前版本为1。

Version: Current version is 1.

 

图像 类型:消息类型。有四种消息类型:

Type: Message type. There are four message types:

 

图像 可确认:此消息需要使用 ACK 或 Reset 消息进行确认。CoAP 通常运行在 UDP(UDP 端口号 568​​3)之上,它提供不可靠的服务。因此,可确认的消息类型在需要时提供可靠的传递。

Confirmable: This message requires an acknowledgment using an ACK or Reset message. CoAP normally runs on top of UDP (UDP port number 5683), which provides an unreliable service. Thus the confirmable message type provides reliable delivery when needed.

 

图像 不可确认:无需确认。对于根据应用要求定期重复的消息(例如从传感器重复读取数据)尤其如此。

Noncomfirmable: No acknowledgment required. This is particularly true for messages that are repeated regularly for application requirements, such as repeated readings from a sensor.

 

图像 确认:确认收到特定的可确认消息。

Acknowledgment: Acknowledges receipt of a specific confirmable message.

 

图像 重置:表示已收到特定消息(可确认或不可确认),但缺少某些上下文以正确处理它。

Reset: Indicates that a specific message (confirmable or nonconfirmable) was received, but some context is missing to properly process it.

 

图像 令牌长度:指示可变长度令牌字段的长度(如果有)。

Token length: Indicates the length of the variable-length token field, if any.

 

图像 代码:由 3 位类别和 5 位详细信息组成。该类指示以下内容之一:请求、成功响应、客户端错误响应或服务器错误响应。如果是请求,详细信息位指示请求方法,可以是 GET、POST、PUT 或 DELETE。如果是响应,详细位指示响应代码(参见表15.3表 15.4)。

Code: Consists of a 3-bit class and a 5-bit detail. The class indicates one of the following: request, success response, client error response, or server error response. In case of a request, the detail bits indicate the request method, which can be GET, POST, PUT, or DELETE. In case of a response, detail bits indicate the response code (see Table 15.3 and Table 15.4).

 
图像

表 15.3 CoAP 消息:类别、类型和代码

TABLE 15.3 CoAP Messages: Classes, Types, and Codes

 
图像

- 不曾用过

— Not used

 

* 不用于正常操作,仅用于引发重置消息(“CoAP ping”)

* Not used in normal operation but only to elicit a reset message (“CoAP ping”)

 

表 15.4 CoAP 消息:按消息类别使用的消息类型

TABLE 15.4 CoAP Messages: Message Type Use by Message Class

 

图像 消息ID:用于检测消息重复并将确认/重置类型的消息与可确认/不可确认类型的消息进行匹配。

Message ID: Used to detect message duplication and to match messages of type acknowledgment/reset to messages of type confirmable/nonconfirmable.

 

图像 令牌:用于独立于底层消息来匹配对请求的响应。请注意,令牌是与消息 ID 不同的概念。消息 ID 在需要确认的单个消息级别起作用。该令牌旨在用作客户端本地标识符,用于区分并发请求(请参阅第 5.3 节);它可以被称为请求 ID。

Token: Used to match responses to requests independently from the underlying messages. Note that the token is a concept separate from the message ID. The message ID works at the level of individual messages that require an acknowledgment. The token is intended for use as a client-local identifier for differentiating between concurrent requests (see Section 5.3); it could have been called a request ID.

 

图像 选项:类型-长度-值 (TLV) 格式的零个或多个 CoAP 选项序列。

Options: A sequence of zero or more CoAP options in Type-Length-Value (TLV) format.

 

为了理解CoAP的操作,我们需要区分消息类别、消息类型和消息方法。消息方法旨在为下一个更高层的软件提供RESTful API,并包括典型的REST功能,在CoAP中定义如下:

To understand the operation of CoAP, we need to distinguish among message class, message type, and message method. The message method is designed to provide a RESTful API to the next higher layer of software, and includes the typical REST functions, defined in CoAP as follows:

 

图像 请参阅第 5.4 节休息

See Section 5.4, “REST

 

图像 GET:检索当前与请求 URI 标识的资源对应的信息的表示形式。如果请求包含接受选项,则表明响应的首选内容格式。如果请求包含 ETag 选项,则 GET 请求验证 ETag,并且仅在验证失败时才传输表示形式。成功后,响应消息中应包含内容或有效响应代码。

GET: Retrieves a representation for the information that currently corresponds to the resource identified by the request URI. If the request includes an accept option, that indicates the preferred content-format of a response. If the request includes an ETag option, GET requests that ETag be validated and that the representation be transferred only if validation failed. Upon success, a content or valid response code should be present in the response message.

 

图像 POST:请求处理请求中包含的表示。实际执行的功能由源服务器确定并取决于目标资源。本质上,POST 将一些数据发送到指定的 URL,并根据上下文采取一些操作。

POST: Requests that the representation enclosed in the request be processed. The actual function performed is determined by the origin server and dependent on the target resource. In essence, POST sends some data to a specified URL and, depending on context, some action is taken.

 

图像 PUT:请求使用所附表示更新或创建由请求 URI 标识的资源。本质上,PUT 将页面放置在特定的 URL 处。如果那里已经有一个页面,它将被整个替换。如果那里没有页面,则会创建一个新页面。

PUT: Requests that the resource identified by the request URI be updated or created with the enclosed representation. In essence, PUT puts a page at a specific URL. If there’s already a page there, it is replaced in its entirety. If there is no page there, a new one is created.

 

图像 DELETE:请求删除请求 URI 标识的资源。

DELETE: Requests that the resource identified by the request URI be deleted.

 

简单但功能强大的API使上层软件能够读取和控制物联网设备,而无需担心用于传递信息的协议的细节。四种消息方法中的每一种都在请求消息类中传送,并且响应(如果合适)在三个响应消息类之一中传送。根据请求的性质,请求和响应都可以是可确认的或不可确认的(表 13.8b)。响应也可以在确认消息类型中携带(捎带响应)。

The simple but powerful API enables upper layer software to read and control IoT devices without worrying about the details of the protocol used to convey information. Each of the four message methods is conveyed in the Request message class and a response, if appropriate is conveyed in one of the three response message classes. Depending on the nature of the request, both the request and response may be confirmable or nonconfirmable (Table 13.8b). A response can also be carried in an acknowledgment message type (piggybacked response).

 

图 15.9来自 RFC 7252,提供了 CoAP 消息交换的简单示例。它显示了导致附带响应的基本 GET 请求。客户端向服务器发送可确认的资源 coap://server/Temperature GET 请求,消息 ID 为 0x7d34。该请求包含一个 Uri-Path 选项(Delta 0 + 11 = 11,长度 11,值“温度”);令牌留空。确认消息中返回 2.05(内容)响应,确认可确认的请求,回显消息 ID 0x7d34 和空令牌值。响应包括有效负载“22.3 C”。

Figure 15.9, from RFC 7252, provides a simple example of CoAP message exchange. It shows a basic GET request causing a piggybacked response. The client sends a confirmable GET request for the resource coap://server/temperature to the server with a message ID of 0x7d34. The request includes one Uri-Path option (Delta 0 + 11 = 11, Length 11, Value “temperature”); the token is left empty. A 2.05 (content) response is returned in the acknowledgment message that acknowledges the confirmable request, echoing both the message ID 0x7d34 and the empty token value. The response includes a payload of “22.3 C”.

 
图像

图 15.9 CoAP 示例

FIGURE 15.9 CoAP Example

 

CoAP 的其他方面超出了本次讨论的范围,包括安全性、缓存和代理功能。

There are other aspects of CoAP that are beyond the scope of this discussion, including security, caching, and proxy capabilities.

 
物联网基础服务
 

IoTivity Base 是在 CoAP API 之上运行的软件。它向更高层提供了一个资源模型,包括客户端和服务器。服务器托管资源,资源有两种:实体和实体处理程序。实体对应于 IoT 事物,可以是执行器,也可以是传感器。实体处理程序是一种关联设备,例如缓存来自一个或多个传感器的数据的设备,或者用于网关类型协议转换的代理。IoTivity Base 向更高层提供以下服务:

The IoTivity Base is software that runs on top of the CoAP API. It presents a resource model to higher layers, consisting of clients and servers. A server hosts resources, which are of two kinds: entity and entity handler. An entity corresponds to an IoT thing, either an actuator or a sensor. An entity handler is an associated device, such as one that caches data from one or more sensors, or a proxy for gateway type protocol conversion. The IoTivity Base provides the following services to higher layers:

 

图像 资源注册:用于注册资源以供将来访问。

Resource registration: This is used to register a resource for future access.

 

图像 资源和设备发现:此操作返回网络服务上给定类型的所有资源的标识信息。该操作通过多播发送到所有服务。

Resource and device discovery: This operation returns identification information for all resources of a given type on the network service. The operation is sent via multicast to all services.

 

图像 查询资源(GET):从资源中获取信息。

Querying resource (GET): Get information from resource.

 

图像 设置资源状态 (PUT):此操作设置简单资源的值。

Setting a resource state (PUT): This operation sets the value of a simple resource.

 

图像 观察资源状态:此操作获取并注册为简单资源值的观察者。然后按照特定于应用程序的时间表向客户端提供通知。

Observing resource state: This operation fetches and registers as an observer for the value of a simple resource. Notifications are then provided to the client on an application-specific schedule.

 

以下查询资源的示例来自 IoTivity 网站。此示例通过以下步骤从光源获取状态(参见图 15.10):

The following example of querying a resource is from the IoTivity website. This example fetches the state from a light source in the following steps (see Figure 15.10):

 
图像

图 15.10查询资源状态的序列图

FIGURE 15.10 Sequence Diagram for Querying Resource State

 

1.客户端应用程序调用resource.get(...) 从资源中检索表示。

1. The client application calls resource.get(...) to retrieve a representation from the resources.

 

2.调用被编组到堆栈,该堆栈要么在进程内运行,要么在进程外(守护程序)运行。

2. The call is marshaled to the stack, which is either running in process or out of process (daemon).

 

3.调用C API 来调度请求。该调用可能如下所示: OCDoResource(OC_REST_GET, “//192.168.1.11/light/1, 0, 0, OC_CONFIRMABLE, callback);

3. The C API is called to dispatch the request. The call may look like the following: OCDoResource(OC_REST_GET, “//192.168.1.11/light/1, 0, 0, OC_CONFIRMABLE, callback);

 

4.当使用 CoAP 作为传输时,下层堆栈将向目标服务器发送 GET 请求。

4. Where CoAP is used as a transport, the lower stack will send a GET request to the target server.

 

5.在服务器端,OCProcess() 函数(消息泵)接收并解析来自套接字的请求,然后根据请求的 URI 将其分派到正确的实体处理程序。

5. On the server side, the OCProcess() function (message pump) receives and parses the request from the socket, then dispatches it to the correct entity handler based on the URI of the request.

 

6.在使用 C++ API 的情况下,C++ 实体处理程序会解析有效负载并将其编组到客户端应用程序,具体取决于服务器堆栈是在进程内还是在进程外(守护程序)运行。

6. Where the C++ API is used, the C++ entity handler parses the payload and marshals it to the client application depending on if the server stack is running in process or out of process (daemon).

 

7. C++ SDK 将其传递到与 OCResource 关联的 C++ 处理程序。

7. The C++ SDK passes it up the C++ handler associated with the OCResource.

 

8.处理程序将结果代码和表示形式返回给 SDK。

8. The handler returns the result code and representation to the SDK.

 

9. SDK 将结果代码和表示形式编组到 C++ 实体处理程序。

9. The SDK marshals the result code and representation to the C++ entity handler.

 

10.实体处理程序将结果代码和表示返回给CoAP协议。

10. The entity handler returns the result code and representation to the CoAP protocol.

 

11.CoAP协议将结果传输到客户端设备。

11. The CoAP protocol transports the results to the client device.

 

12.结果返回OCDoResource回调。

12. The results are returned the OCDoResource callback.

 

13.结果返回到C++客户端应用程序的syncResultCallback。

13. The results are returned to the C++ client application’s syncResultCallback.

 
物联网服务
 

IoTivity Base 服务为上一小节中概述的基本功能提供 RESTful API。除此之外,当前版本还包括四个称为 IoTivity Services 的应用程序。IoTivity Services 为应用程序开发提供了一组通用的功能。这些原始服务旨在提供对应用程序和资源的简单、可扩展的访问,并且完全由自身管理。这四项服务如下:

The IoTivity Base services provide a RESTful API for the basic functions outlined in the preceding subsection. On top of this, the current release includes four applications referred to as IoTivity Services. IoTivity Services provide a common set of functionalities to application development. These primitive services are designed to provide easy, scalable access to applications and resources and are fully managed by themselves. The four services are as follows:

 

图像 协议插件管理器:使 IoTivity 应用程序通过插件协议转换器与非 IoTivity 设备进行通信。它提供了几个参考协议插件和插件管理器API来启动/停止插件。

Protocol Plugin Manager: Makes IoTivity applications communicate with non-IoTivity devices by plug-in protocol converters. It provides several reference protocol plug-ins and plug-in manager APIs to start/stop plug-ins.

 

图像 软传感器管理器:以对应用程序开发人员有用的稳健方式提供 IoTivity 上的物理和虚拟传感器数据。它还为 IoTivity 上的更高级别虚拟传感器提供了部署和执行环境。其功能包括收集物理传感器数据;通过基于其自己的组成算法进行聚合来操纵收集的数据;向应用程序提供数据;检测特定事件和变化。

Soft Sensor Manager: Provides physical and virtual sensor data on IoTivity in a robust manner useful for application developers. It also provides a deployment and execution environment on IoTivity for higher level virtual sensors. Its functions include the following: collect physical sensor data; manipulate collected data by aggregating based on its own composition algorithms; providing data to applications; detect specific events and changes.

 

图像 事物管理器:创建群组,在网络中查找适当的成员事物,管理成员状态,并使群组操作变得容易。该服务使应用程序能够使用单个命令/响应处理一组事物,从而简化了应用程序的任务。

Things Manager: Creates groups, finds appropriate member things in the network, manages member presence, and makes group action easy. This service eases the task of applications by enabling them to deal with a group of things with single commands/responses.

 

图像 控制管理器:提供框架和服务来实现控制器、受控器以及控制器的 REST 框架。它还为应用程序开发人员提供API。

Control Manager: provides framework and services to implement a controller, a controllee, and REST framework for a controller. It also provides APIs for application developers.

 

为了更好地理解 IoTivity,我们考虑其中一项服务,即控制管理器 (CM),如图15.11所示。CM 在 IoTivity 之上运行基于客户端和服务器平台。CM 提供软件开发工具包 (SDK) API,用于发现受控设备并通过 RESTful 资源操作控制它们。CM还提供订阅/通知功能来监控设备操作或状态变化。

To provide a better understanding of IoTivity, let’s consider one of these services, the Control Manager (CM), shown in Figure 15.11. The CM runs on top of the IoTivity Base on both client and server platforms. CM provides software developer kit (SDK) APIs for discovery of controlled devices and controlling them with RESTful resource operations. CM also provides subscription/notification functionality for monitoring the device operations or state changes.

 
图像

图 15.11 IoTivity 控制管理器架构

FIGURE 15.11 IoTivity Control Manager Architecture

 

在当前版本中,CM 最适合智能家居应用。CM 使用三星智能家居配置文件。三星于 2014 年初推出了三星智能家居。该服务使智能电视、家用电器和智能手机能够通过单一集成平台进行连接和管理。其功能使用户能够通过单个应用程序通过集成平台和服务器连接个人和家庭设备(从冰箱和洗衣机到智能电视、数码相机、智能手机,甚至可穿戴设备 GALAXY Gear)来控制和管理其家庭设备。虽然三星智能家居是三星推出的,作为控制三星的平台设备,定义功能的配置文件可以在其他环境中使用,并被 IoTivity 采用作为其 CM 应用程序的有效基础。

In its current release, the CM is best suited to a smart home application. The CM makes use of the Samsung Smart Home Profile. Samsung introduced the Samsung Smart Home in early 2014. It is a service enabling Smart TVs, home appliances and smartphones to be connected and managed through a single integrated platform. Its functionality enables users to control and manage their home devices through a single application by connecting personal and home devices—from refrigerators and washing machines to smart TVs, digital cameras, smartphones and even the wearable device GALAXY Gear—through an integrated platform and server. Although the Samsung Smart Home was introduced by Samsung as a platform for controlling Samsung devices, the profile that defines the functionality can be used in other contexts and was adopted by IoTivity as an effective basis for its CM application.

 

CM包括以下组件:

The CM includes the following components:

 

图像 SDK API: REST 框架的 RESTful 接口,将在本章后面讨论。

SDK API: A RESTful interface for the REST framework, discussed later in this chapter.

 

图像 智能家居数据模型:所有可用家庭设备和电器的数据模式,定义分层资源模型和设备属性。一组通用资源提供与设备功能、设备配置和支持的资源相关的信息。功能特定资源提供特定于设备功能的资源,例如恒温器、灯、门等。借助数据模型,应用程序开发人员可以轻松编译设备信息、状态和控制设备。

Smart home data model: A data schema for all the available home devices and appliances, defining a hierarchical resource model and device attributes. A common set of resources provides information related to device capabilities, device configuration and supported resources. Function specific resources provide resources specific to a device function such as thermostat, light, door, and so on. With the help of a data model, application developers can easily compile device information, state and control the device.

 

图像 RESTful 资源请求/响应处理程序:通过将请求从数据模型序列化为消息格式,提供将请求从控制器发送到受控设备的功能。它将收到的响应消息转换为智能家居数据模型,以便传送给控制器。它使用客户端模块发送请求和接收响应。

RESTful resource request/response handler: Provides the functionality of sending the requests from the controller to the controlled device by serializing it from the data model to a message format. It translates received response messages to the smart home data model for delivery to the controller. It uses the Client module for sending requests and receiving responses.

 

图像 IoTivity 客户端:使用 IoTivity 基础框架实现客户端,以便根据 IoTivity 协议与其他 IoTivity 设备执行消息传递。它支持向其他 IoTivity 设备(例如受控设备)发送请求并接收它们的响应。

IoTivity client: Implements the client using the IoTivity base framework for performing messaging with other IoTivity devices per IoTivity protocol. It supports sending requests to other IoTivity devices (for example, the controlled device) and receiving responses from them.

 

图像 IoTivity 服务器:使用 IoTivity 基础框架实现服务器,以响应来自其他 IoTivity 设备的请求。CM 充当服务器,用于响应其他 IoTivity 设备的发现请求并接收其他 IoTivity 设备发送的通知。

IoTivity server: Implements the server using the IoTivity base framework for responding to requests from other IoTivity devices. CM acts like a server for responding to the discovery requests from other IoTivity devices and for receiving notifications sent from other IoTivity devices.

 

图像 设备发现:使用基础框架的 IoTivity 发现机制来发现其他 IoTivity 设备。除了初始设备发现之外,CM 发现机制还检索设备特定信息和功能,并在设备列表中维护发现的设备的信息。

Device discovery: Uses the IoTivity discovery mechanism of the base framework for discovering other IoTivity devices. Apart from initial device discovery, the CM discovery mechanism retrieves device specific information and capability and maintains the discovered device’s information in the devices list.

 

图像 订阅/通知管理器:提供订阅其他设备以及从三星智能家居配置文件中定义的其他设备接收通知的功能。这是CM订阅其他IoTivity设备资源的RESTful订阅/通知机制。通知设备将CM在订阅请求期间指定的REST URI通知给CM服务器。CM还维护其已订阅的设备和资源的订阅信息。

Subscription/notification manager: Provides functionality of subscribing to other devices and receiving notifications from other devices as defined in the Samsung Smart Home Profile. This is a RESTful subscription/notification mechanism that CM subscribes to resources of other IoTivity devices. The notifying device notifies the CM server with the REST URI specified by the CM during subscription request. CM also maintains the subscription information for the devices and resources it has already subscribed.

 

回顾图 15.11,我们看到 CM 提供了一组特定于智能家居管理的功能,并将这些功能构建在 IoTivity Base 提供的更原始的功能之上。为了使 CM 可供使用 Web 风格界面的应用程序访问,IoTivity 软件版本在 CM 之上包含了一个 REST 框架软件层。该框架包括以下模块:

Referring back to Figure 15.11, we see that the CM provides a set of functions specific to smart home management and builds these on top of the more primitive functions provided by the IoTivity Base. To make the CM accessible to applications using a web-style interface, the IoTivity software release includes a REST framework software layer on top of the CM. The framework includes the following modules:

 

图像 REST 请求处理程序:从应用程序模块接收 REST 请求,解析它,验证请求正文(仅模式验证)并通过其接口将请求转发到 CM 模块。如果内容无效(无效 URI/无效请求正文等),REST 请求处理程序将返回错误。

REST Request Handler: Receives the REST request from the Application module, parses it, validates the request body (only schema validation) and forwards the request to the CM module via its interface. REST request handler return an error in case of invalid content (invalid URI/invalid request body, and so on).

 

图像 Web 缓存:缓存从应用程序接收到的 REST 请求。当先前处理同一请求后系统没有发生任何变化时,它会响应“304 Not Modified”。

Web Cache: Caches the REST requests received from application. It responds with “304 Not Modified” when there is no change in the system after the same request was processed previously.

 

图像 Web Filter:从请求 URI 解析过滤器参数。

Web Filter: Parses the filter parameters from the request URI.

 

图像 CM 模块接口:充当 REST 框架和 CM 之间的接口。主要负责将处理后的REST请求转发给CM。它创建并向 CM 注册响应侦听器,CM 使用它们来异步响应。此外,这里保持 30 秒的超时,之后如果没有收到来自 CM 的响应,则会将错误发送回应用程序。

CM Module Interface: Acts as an interface between REST framework and the CM. It is mainly responsible for forwarding the processed REST requests to the CM. It creates and registers response listeners with the CM, which uses them to respond back asynchronously. Also, a timeout of 30 seconds is maintained here, after which if no response is received from CM, an error is sent back to the application.

 

图 15.11显示了其他三个元素。执行模型是客户端将通过使用 HTTP 的 Web 服务器的 Web 界面与 IoTivity 进行交互。Web服务器提供用户友好的界面,使用户能够管理智能家居设备。每个用户请求都会传递到应用程序模块,解析 HTTP 请求以提取信息(方法、URI、请求正文等),并将它们转发到 REST 框架 REST 请求处理程序。响应以类似的方式通过响应生成器返回。

Figure 15.11 shows three other elements. The execution model is that clients will interact with IoTivity through a web interface to a web server using HTTP. The web server provides a user-friendly interface for enabling the user to manage smart home devices. Each user request is passed on to the Application module, parses the HTTP request to extract information (method, URI, request body, and so on) and forwards them to the REST framework REST request handler. Responses are returned via the response generator in a similar fashion.

 

思科物联网系统

Cisco IoT System

 

2015 年,思科推出了一套集成且协调的产品,称为思科物联网系统。指导产品开发的理念基于以下观察。思科预计,到 2020 年,将有 500 亿台设备和物体连接到互联网。然而,如今,物理世界中 99% 以上的事物仍未连接。为了利用这波数字化浪潮带来的前所未有的机遇,企业和城市越来越多地部署物联网解决方案。

In 2015, Cisco introduced a suite of integrated and coordinated products known as the Cisco IoT System. The philosophy guiding product development is based on the following observations. Cisco estimates that 50 billion devices and objects will be connected to the Internet by 2020. Yet today, more than 99 percent of things in the physical world remain unconnected. To capitalize on the unprecedented opportunities presented by this wave of digitization, companies and cities are increasingly deploying IoT solutions.

 

然而,数字化是复杂的。客户经常以前所未有的规模连接设备和对象,或融合不相关的网络。而且,他们只能通过应用程序来实现这些连接的价值先进的数据分析,即使如此,客户通常仍然需要创建能够加速新业务模式或提高生产力的新型智能应用程序。所有这一切都必须在不牺牲系统中任何一点(从设备到数据中心并通过云)的安全性的情况下发生。

However, digitization is complex. Customers are often connecting devices and objects, or converging unrelated networks, at previously unprecedented scales. Furthermore, they can only realize the value of these connections through the application of advanced data analytics, and even then, customers often still need to create a new class of intelligent applications capable of accelerating new business models or increasing productivity. And all this has to happen without sacrificing security at any point in the system, from the device to the data center and via the cloud.

 

思科物联网系统通过基础设施解决了数字化的复杂性,该基础设施旨在管理由不同端点和平台组成的大型系统及其产生的海量数据。该系统由六个关键技术支柱组成,当它们组合成一个架构时,有助于降低数字化的复杂性。思科还宣布了六大支柱内的许多物联网产品,并将继续推出新产品作为思科物联网系统的一部分。

Cisco IoT System addresses the complexity of digitization with an infrastructure that is designed to manage large-scale systems of diverse endpoints and platforms, and the data deluge they create. The system consists of six critical technology pillars that, when combined together into an architecture, help reduce the complexities of digitization. Cisco also announced a number of IoT products within the six pillars and will continue to roll out new products as part of the Cisco IoT System.

 

图 15.12说明了物联网系统的六个支柱,如下表所述。

Figure 15.12 illustrates the six IoT system pillars as described in the list that follows.

 
图像

图 15.12思科物联网系统

FIGURE 15.12 Cisco IoT System

 

图像 网络连接:包括专门构建的路由、交换和无线产品,有加固型和非加固型两种规格。

Network connectivity: Includes purpose-built routing, switching, and wireless products available in ruggedized and nonruggedized form factors.

 

图像 雾计算:提供思科的雾计算或边缘数据处理平台IOx。

Fog computing: Provides Cisco’s fog computing, or edge data processing platform, IOx.

 

图像 数据分析:优化的基础设施,用于为思科互联分析产品组合和第三方分析软件实施分析并利用可操作的数据。

Data analytics: An optimized infrastructure to implement analytics and harness actionable data for both the Cisco Connected Analytics Portfolio and third-party analytics software.

 

图像 安全性:统一网络和物理安全,以提供运营效益并增强对物理和数字资产的保护。思科的 IP 监控产品组合和网络产品以及 TrustSec 安全和云/网络安全产品使用户能够监控、检测和响应 IT 和运营技术 (OT) 组合攻击。

Security: Unifies cyber and physical security to deliver operational benefits and increase the protection of both physical and digital assets. Cisco’s IP surveillance portfolio and network products with TrustSec security and cloud/cyber security products allow users to monitor, detect and respond to combined IT and operational technology (OT) attacks.

 

图像 管理和自动化:用于管理端点和应用程序的工具。

Management and automation: Tools for managing endpoints and applications.

 

图像 应用使能平台:一组API,供行业和城市、生态系统合作伙伴和第三方供应商在物联网系统能力的基础上设计、开发和部署自己的应用程序。

Application enablement platform: A set of APIs for industries and cities, ecosystem partners and third-party vendors to design, develop, and deploy their own applications on the foundation of IoT System capabilities.

 

本讨论的其余部分依次概述了每个支柱。图 15.13基于思科物联网系统白皮书 [ CISC15b ] 中的数据,突出显示了每个支柱的关键要素。

The remainder of this discussion provides an overview of each pillar in turn. Figure 15.13, based on figures in the Cisco IoT System white paper [CISC15b], highlights key elements of each pillar.

 
图像

图 15.13思科物联网支柱

FIGURE 15.13 The Cisco IoT Pillars

 
网络连接
 

思科物联网系统的网络连接组件是一组用于网络边缘的网络产品,用于支持智能对象、网关和其他边缘计算设备的连接。许多智能对象部署在恶劣或要求苛刻的环境中,例如工厂、农场和其他户外环境。通常,这些设备在有限的发射/接收范围内进行无线通信。因此,边缘网络设备需要满足许多独特的要求,包括:

The network connectivity component of Cisco IoT System is a collection of network products for the edge of the network, to support connectivity of smart objects, gateways, and other edge computing devices. Many smart objects are deployed in harsh or demanding environments, such as factories, farms, and other outdoor environments. Typically, these devices communicate wirelessly with limited transmit/receive range. Therefore, edge networking devices need to meet a number of unique requirements, including the following:

 

图像支持大量终端系统

Supporting large numbers of end systems

 

图像在要求苛刻且可能是远程的环境中运行

Operating in demanding and possibly remote environments

 

图像靠近支持的 IoT 对象

Close proximity to supported IoT objects

 

网络连接组件汇集了许多旨在支持物联网的现有产品和新产品。该产品线包括可靠、可扩展、高性能的网络解决方案,以及广泛的路由、交换和无线产品组合,提供加固型和非加固型外形尺寸,以及集成到第三方设备中的纯软件解决方案。

The network connectivity component brings together a number of preexisting and new products designed to support IoT. The product line include reliable, scalable, high-performance networking solutions with a broad portfolio of routing, switching, and wireless products, available in ruggedized and nonruggedized form factors, as well as software only solutions that integrate into third-party devices.

 

产品组合分为以下产品类别:

The product portfolio is organized into the following product categories:

 

图像 工业交换:一系列紧凑、坚固的以太网交换机,可处理工业网络中的安全、语音和视频流量。这些产品的一个关键特性是它们实现了思科专有的弹性以太网协议(REP)。REP 提供了生成树协议 (STP) 的替代方案。REP 提供了一种控制网络环路、处理链路故障和缩短收敛时间的方法。它控制某个网段中连接的一组端口,确保该网段不会创建任何桥接环路,并对网段内的链路故障做出响应。REP为构建复杂网络提供了基础,并支持VLAN负载均衡。

Industrial switching: A range of compact, ruggedized Ethernet switches that handle security, voice, and video traffic across industrial networks. A key feature of these products is that they implement Cisco’s proprietary Resilient Ethernet Protocol (REP). REP provides an alternative to the Spanning Tree Protocol (STP). REP provides a way to control network loops, handle link failures, and improve convergence time. It controls a group of ports connected in a segment, ensures that the segment does not create any bridging loops, and responds to link failures within the segment. REP provides a basis for constructing complex networks and supports VLAN load balancing.

 

图像 工业布线:这些产品经过认证,可以满足恶劣的环境标准。它们支持各种通信接口,例如以太网、串行、蜂窝、WiMAX 和 RF 网状网络。

Industrial routing: These products are certified to meet harsh environmental standards. They support a variety of communications interfaces, such as Ethernet, serial, cellular, WiMAX, and RF mesh.

 

图像 工业无线:专为在各种恶劣或要求苛刻的环境中部署而设计。这些产品提供无线接入点功能并实施 Cisco VideoStream,后者使用封装在单播中的多播来改进多媒体应用。

Industrial wireless: Designed for deployment in a variety of harsh or demanding environments. These products provide wireless access point functionality and implement Cisco VideoStream, which uses multicast encapsulated in unicast to improve multimedia applications.

 

图像 嵌入式网络:思科嵌入式服务交换机针对在恶劣环境下需要交换功能的移动和嵌入式网络进行了优化。主要产品是思科嵌入式服务 2020 系列交换机和路由器产品系列。这些产品实施于可以集成到各种硬件设备中的卡。同样在这一类别中,思科还提供了专为小型、低功耗 Linux 设备设计的软件路由器应用程序。

Embedded networks: Cisco Embedded Service switches are optimized for mobile and embedded networks that require switching capability in harsh environments. The primary product offering is the Cisco Embedded Service 2020 series switches product family of routers. These products are implemented on cards that can be incorporated in a variety of hardware devices. Also in this category, Cisco offers a software router application designed for small, low-powered Linux devices.

 
雾计算
 

物联网系统的雾计算组件由软件和硬件组成,可将物联网应用扩展到网络边缘,使数据能够在生成的地方进行有效分析和管理,从而减少延迟和带宽需求。

The fog computing component of IoT System consists of software and hardware that extends IoT applications to the network edge, enabling data to be efficiently analyzed and managed where generated, thus reducing latency and bandwidth requirements.

 

雾计算组件的目标是为在路由器、网关和其他物联网设备中部署的物联网相关应用程序提供一个平台。为了在雾节点上托管新的和现有的应用程序,思科提供了一个名为 IOx 的新软件平台,以及用于在 IOx 上部署应用程序的 API。IOx 平台结合了 Cisco IOS 操作系统和 Linux(见图15.14)。目前,IOx 在 Cisco 路由器上实现。

The goal of the fog computing component is to provide a platform for IoT-related apps to be deployed in routers, gateways, and other IoT devices. To host new and existing applications on fog nodes, Cisco provides a new software platform, called IOx, and an API for deploying applications on IOx. The IOx platform combines the Cisco IOS operating system and Linux (see Figure 15.14). Currently, IOx is implemented on Cisco routers.

 
图像

图 15.14思科 IOx

FIGURE 15.14 Cisco IOx

 

Cisco IOS(最初为互联网操作系统)是大多数 Cisco 系统路由器和当前 Cisco 网络交换机上使用的软件。IOS 是一个将路由、交换、网络互连和电信功能集成到多任务操作系统中的包。不要将其与 iPhone 和 iPad 上运行的 Apple iOS 操作系统混淆。

Cisco IOS (originally Internetwork Operating System) is software used on most Cisco Systems routers and current Cisco network switches. IOS is a package of routing, switching, internetworking, and telecommunications functions integrated into a multitasking operating system. This is not to be confused with Apple’s iOS operating system that runs on iPhones and iPads.

 

以 IOS 为基础,IOx 将物联网所需的通信和计算资源整合到一个平台中,以在网络边缘支持应用程序。如图15.14所示,IOx 平台(例如路由器)利用多核处理器的多任务处理能力并行运行 IOS 和 Linux。Linux 被用作支持 API 和中间件服务的基础,使合作伙伴公司能够在 IOx 平台上实施雾应用程序。

With IOS as a base, IOx combines the communication and computing resources that are required for IoT into a single platform for application enablement at the network edge. As Figure 15.14 shows, an IOx platform, such as a router, runs IOS and Linux in parallel, using the multitasking capability of the multicore processor. Linux is used as a base to support APIs and middleware services that enable partner companies to implement fog applications on the IOx platform.

 
数据分析
 

IoT 系统的数据分析组件由分布式网络基础设施元素和运行特定于业务的软件分析的 IoT 特定 API 组成整个网络架构(从云到雾)的软件包,使客户能够将物联网数据智能地输入到业务分析中。

The data analytics component of IoT System consists of distributed network infrastructure elements and IoT-specific APIs that run business-specific software analytics packages throughout the network architecture—from the cloud to the fog—and that allow customers to feed IoT data intelligently into business analytics.

 

思科物联网分析基础设施包括以下内容:

The Cisco IoT analytics infrastructure includes the following:

 

图像 实时分析基础设施:精选思科路由器、交换机、统一通信系统 (UCS) 服务器和 IP 摄像机上网络、存储和计算功能的集成,允许分析直接在雾节点上运行,以进行实时收集、存储,并在网络边缘进行分析。

Infrastructure for real-time analytics: The integration of network, storage, and compute capabilities on select Cisco routers, switches, Unified Communications System (UCS) servers, and IP cameras allows analytics to run directly on fog nodes for real-time collection, storage, and analysis at the network edge.

 

图像 云到雾:思科雾数据服务包括 API,用于应用业务规则并控制哪些数据保留在雾中进行实时分析,哪些数据发送到云端进行长期存储和历史分析。

Cloud to fog: Cisco Fog Data Services includes APIs to apply business rules and control which data remains in the fog for real-time analytics and which is sent to the cloud for long-term storage and historical analysis.

 

图像 企业分析集成:使用 IOx API,企业可以在雾节点上运行分析以获得实时情报。雾数据服务允许将物联网数据导出到云端。物联网数据的集成可以提高运营效率、提高产品质量并降低成本。

Enterprise analytics integration: Using IOx APIs, enterprises can run analytics on fog nodes for real-time intelligence. Fog Data Services allows IoT data exporting to the cloud. Integration of IoT data can increase operational efficiency, improve product quality, and lower costs.

 

图像 安全分析:具有存储和计算功能的思科 IP 摄像机支持网络边缘的视频、音频和数据分析,以便企业获得实时安全情报,包括事件处理和分类。

Analytics for security: Cisco IP cameras with storage and compute capabilities support video, audio, and data analytics at the network edge so enterprises gain real-time security intelligence, including event processing and classification.

 
安全
 

安全组件的目的是提供从云到雾的解决方案,解决攻击之前、攻击期间和攻击之后的完整攻击连续体。该组件包括基于云的威胁防护、网络和周边安全、基于用户和组的身份服务、视频分析和安全物理访问。

The intent of the security component is to provide solutions from the cloud to the fog that address the full attack continuum—before, during, and after an attack. The component includes cloud-based threat protection, network and perimeter security, user- and group-based identity services, video analytics, and secure physical access.

 

安全产品组合包括以下元素:

The security portfolio includes the following elements:

 

图像 基于云的威胁防护:由思科的高级恶意软件防护 (AMP) 包提供。这是一系列广泛的产品,可以部署在各种思科和第三方平台上。AMP 产品使用大数据分析、遥测模型和全球威胁情报来帮助实现持续的恶意软件检测和阻止、持续分析和回顾性警报。

Cloud-based threat protection: Provided by Cisco’s Advanced Malware Protection (AMP) package. This is a broad spectrum of products that can be deployed on a variety of Cisco and third-party platforms. AMP products use big data analytics, a telemetry model, and global threat intelligence to help enable continuous malware detection and blocking, continuous analysis, and retrospective alerting.

 

图像 网络和周边安全:产品包括防火墙和入侵防御系统。

Network and perimeter security: Products include firewall and intrusion prevention systems.

 

图像 基于用户和组的身份服务:产品包括身份服务引擎,它是一个安全策略管理平台,可自动执行对网络资源的上下文感知安全访问;和Cisco TrustSec 技术,它使用软件定义的分段来简化网络访问的配置、加速安全操作并在网络中的任何位置一致地执行策略。

User-and group-based identity services: Products include an Identity Service Engine, which is a security policy management platform that automates and enforces context-aware security access to network resources; and Cisco TrustSec technology, which uses software-defined segmentation to simplify the provisioning of network access, accelerate security operations, and consistently enforce policy anywhere in the network.

 

图像 物理安全:思科的物理安全方法由用于安全管理的硬件设备和软件组成。产品包括视频监控、IP 摄像头技术、电子访问控制和事件响应。思科物理安全解决方案可以与其他思科及合作伙伴技术集成,提供统一的界面,提供态势感知和快速、明智的决策。

Physical security: Cisco’s physical security approach consists of hardware devices and software for security management. Products include video surveillance, IP camera technology, electronic access control, and incident response. Cisco physical security solutions can be integrated with other Cisco and partner technologies to provide a unified interface that delivers situational awareness and rapid, informed decisions.

 
管理与自动化
 

管理和自动化组件旨在简化大型物联网网络的管理,支持多种孤立的功能,并实现 OT 数据与 IT 网络的融合。它包括以下要素:

The management and automation component is designed to provide simplified management of large IoT networks with support for multiple siloed functions, and to enable the convergence of OT data with the IT network. It includes the following elements:

 

图像 IoT Field Network Director:一个软件平台,提供用于管理路由器、交换机和端点设备的各种工具。这些工具包括故障管理、配置管理、会计管理、性能管理、诊断和故障排除以及针对特定行业应用程序的北向 API。

IoT Field Network Director: A software platform that provides a variety of tools for managing routers, switches, and endpoint devices. These tools include fault management, configuration management, accounting management, performance management, diagnostic and troubleshooting, and a northbound API for industry-specific applications.

 

图像 Cisco Prime 管理产品组合:一种远程管理和配置解决方案,可提供家庭网络的可见性。该软件包可以发现有关家庭中所有连接设备的详细信息并实现远程管理。

Cisco Prime Management Portfolio: A remote management and provisioning solution that provides visibility into the home network. The package discovers detailed information about all connected devices in the home and enables remote management.

 

图像 思科视频监控管理器:提供视频、分析和物联网传感器集成,以提供物理安全管理。

Cisco Video Surveillance Manager: Provides video, analytics and IoT sensor integration for providing physical security management.

 
应用支持平台
 

该组件为基于云的应用程序开发和从云到雾的部署提供了一个简单且大规模的平台。还提供开放 API 和应用程序开发环境供客户、合作伙伴和第三方使用。它具有以下要素:

This component provides a platform for cloud-based app development and deployment from cloud to fog, simply and at scale. Also offers open APIs and app development environments for use by customers, partners, and third parties. It features the following elements:

 

图像 思科 IOx 应用托管:借助 IOx 功能,来自各行业各个领域的客户和解决方案提供商将能够直接在思科工业网络设备(包括强化路由器、交换机和 IP 摄像机)上开发、管理和运行软件应用程序。

Cisco IOx App Hosting: With IOx capability, customers from all segments and solution providers across industries will be able to develop, manage, and run software applications directly on Cisco industrial networked devices, including hardened routers, switches, and IP video cameras.

 

图像 Cisco Fog Director:允许集中管理在边缘运行的多个应用程序。该管理平台为管理员提供控制权应用程序设置和生命周期的信息,以便更轻松地访问和了解大规模物联网部署。

Cisco Fog Director: Allows central management of multiple applications running at the edge. This management platform gives administrators control of application settings and lifecycle, for easier access and visibility into large-scale IoT deployments.

 

图像 Cisco IOx 中间件服务:中间件是帮助程序和数据库(可能位于不同平台上)协同工作的软件“粘合剂”。它最基本的功能是实现不同软件之间的通信。此元素提供物联网和云应用程序通信所需的工具。

Cisco IOx Middleware Services: Middleware is the software “glue” that helps programs and databases (which may be on different platforms) work together. Its most basic function is to enable communication between different pieces of software. This element provides tools necessary for IoT and cloud apps to communicate.

 

io桥

ioBridge

 

IoBridge 提供软件、固件和 Web 服务,旨在使制造商、专业人士和临时用户能够简单且经济高效地使用支持互联网的设备和产品。通过提供网络支持所需的所有组件,ioBridge 的客户避免了将多个供应商的解决方案拼凑在一起所带来的复杂性和成本。ioBridge 产品本质上是为广大物联网用户提供的交钥匙解决方案。

IoBridge provides software, firmware, and web services designed to make it simple and cost-effective to Internet-enable devices and products for manufacturers, professionals and casual users. By providing all the components necessary to web-enable things, ioBridge’s customers avoid the complexity and cost associated with piecing together solutions from multiple vendors. The ioBridge offering is essentially a turnkey solution for a broad range of IoT users.

 
图像

io桥

ioBridge

 
ioBridge平台
 

IoBridge 提供了一个完整的端到端平台,该平台安全、私密且可扩展,适用于从 DIY (DIY) 家庭项目到商业产品和专业应用程序的所有内容。ioBridge 既是硬件又是云服务提供商。IoT 平台使用户能够使用可扩展的 Web 技术创建控制和监控应用程序。ioBridge 具有端到端安全性、实时 I/O 流式传输到网络和移动应用程序以及易于安装和使用的产品。

IoBridge provides a complete end-to-end platform that is secure, private, and scalable for everything from do-it-yourself (DIY) home projects to commercial products and professional applications. ioBridge is both a hardware and cloud services provider. The IoT platform enables the user to create the control and monitoring applications using scalable Web technologies. ioBridge features end-to-end security, real-time I/O streaming to web and mobile apps, and easy-to-install and easy-to-use products.

 

图 15.15说明了 ioBridge 技术的一些主要特性。嵌入式设备和云服务之间的紧密集成实现了图中所示的许多传统 Web 服务器技术无法实现的功能。请注意,现成的 ioBridge 嵌入式模块还包括 Web 可编程控制或“规则和操作”。这使得ioBridge嵌入式模块即使在未连接到ioBridge云服务器的情况下也可以控制设备。

Figure 15.15 illustrates some of the major features of ioBridge’s technology. The tight integration between the embedded devices and the cloud services enable many of the features shown in the diagram that are not possible with traditional web server technology. Note that the off-the-shelf ioBridge embedded modules also include web-programmable control or “rules and actions.” This enables the ioBridge embedded module to control devices even when it is not connected to the ioBridge cloud server.

 
图像

图 15.15 ioBridge 物联网平台

FIGURE 15.15 The ioBridge Internet of Things Platform

 

设备端的主要产品是固件、Iota 模块和网关。尽可能向设备添加固件,以添加与 ioBridge 服务通信的功能。Iota 是具有以太网或 Wi-Fi 网络连接的微型嵌入式固件或硬件模块。网关是小型设备,可以充当物联网设备和 ioBridge 服务之间的协议转换器和桥梁。

The major offerings on the device side are firmware, Iota modules, and gateways. Firmware is added where possible to devices to add the functionality to communicate with ioBridge services. Iotas are tiny embedded firmware or hardware modules with either Ethernet or Wi-Fi network connectivity. Gateways are small devices that can act as protocol converters and bridges between IoT devices and ioBridge services.

 

本质上,物联网平台提供了嵌入式设备与 Web 服务的无缝混搭。IoBridge 销售可安装在嵌入式设备中的硬件板、固件和软件,以及可在智能手机和平板电脑等平台上运行的应用程序以及网络服务。

In essence, the IoT platform provides a seamless mashup of embedded devices with web services. IoBridge markets hardware boards, firmware, and software that can be installed in embedded devices together with apps that can run on platforms such as smartphones and tablets, as well as web services.

 
事物说话
 

ThingSpeak是ioBridge开发的开源物联网平台。ThingSpeak 支持创建传感器记录应用程序、位置跟踪应用程序以及具有状态更新的事物社交网络。它提供实时数据收集的功能,以图表的形式可视化收集的数据,以及创建与 Web 服务、社交网络和其他 API 协作的插件和应用程序的能力。

ThingSpeak is an open source IoT platform developed by ioBridge. ThingSpeak enables the creation of sensor logging applications, location-tracking applications, and a social network of things with status updates. It offers the capabilities of real-time data collection, visualizing the collected data in the form of charts, the ability to create plug-ins and apps for collaborating with web services, social networks, and other APIs.

 
图像

事物说话

ThingSpeak

 

ThingSpeak 的基本元素是 ThingSpeak 频道,该频道托管在 ThingSpeak 网站上。通道存储发送到 ThingSpeak 的数据,由以下元素组成:

The basic element of ThingSpeak is a ThingSpeak channel, which is hosted on the ThingSpeak website. A channel stores data sent to ThingSpeak and consists of the following elements:

 

图像 用于存储任何类型数据的八个字段:这些字段可用于存储来自传感器或嵌入式设备的数据。

Eight fields for storing data of any type: These can be used to store the data from a sensor or from an embedded device.

 

图像 三个位置字段:可用于存储纬度、经度和海拔。这些对于跟踪移动设备非常有用。

Three location fields: Can be used to store the latitude, longitude and the elevation. These are very useful for tracking a moving device.

 

图像 一个状态字段:描述通道中存储的数据的短消息。

One status field: A short message to describe the data stored in the channel.

 

支持 IoBridge 的设备和带有 ioBridge 应用程序的平台可以通过通道进行通信。ThingSpeak 通道还可以与 Twitter 连接,以便可以通过推文传达传感器更新和其他数据。请注意,ThingSpeak 不限于ioBridge 设备;它可以与任何包含通过 ThingSpeak 通道进行通信所需的软件的设备配合使用。

IoBridge-enabled devices and platforms with ioBridge apps can communicate via a channel. A ThingSpeak channel can also connect with Twitter so that sensor updates and other data can be communicated via tweet. Note that ThingSpeak is not limited to ioBridge devices; it can work with any device that includes the software necessary to communicate via a ThingSpeak channel.

 

用户首先在 ThingSpeak 网站上定义通道。这是一个简单的交互过程,包括以下步骤:

A user begins by defining a channel on the ThingSpeak website. This is an easy interactive process that includes the following steps:

 

1.创建具有唯一ID的新频道。

1. Create new channel with unique ID.

 

2.指定频道是公开的(任何人都可以查看)还是私有的。

2. Specify whether the channel will be public (open to view by anyone) or private.

 

3.创建一到八个字段,可以保存任何类型的数据,并为每个字段指定一个名称。

3. Create from one to eight fields, which can hold any type of data, giving each field a name.

 

4.创建 API 密钥。一个通道有一个写入 API 密钥。如果数据附有 API 密钥,则传递到通道的任何数据只会写入一个或多个字段。一个通道可以有多个读取 API 密钥。如果通道是私有的,则只能通过提供 API 密钥来读取数据。用户可以将应用程序定义为 API 密钥以执行某种数据处理或指导。

4. Create API keys. A channel has one write API key. Any data communicated to the channel will only be written into one or more fields if the data is accompanied by the API key. A channel may have multiple read API keys. If the channel is private, data can only be read by presenting the API key. A user can define an app to an API key to perform some sort of data processing or directing.

 

ThingSpeak 提供的应用程序可以更轻松地与 Web 服务、社交网络和其他 API 集成。ThingSpeak 提供的一些应用程序如下:

ThingSpeak provides apps that allow for an easier integration with web services, social networks, and other APIs. Some of the apps provided by ThingSpeak are the following:

 

图像 ThingTweet:允许用户通过 ThingSpeak 将消息发布到 Twitter。本质上,这是一个 TwitterProxy,它将您的帖子重定向到 Twitter。

ThingTweet: Allows the user to post messages to twitter via ThingSpeak. In essence, this is a TwitterProxy which redirects your posts to Twitter.

 

图像 ThingHTTP:允许用户连接到 Web 服务并支持 HTTP 的 GET、PUT、POST 和 DELETE 方法。

ThingHTTP: Allows the user to connect to web services and supports GET, PUT, POST, and DELETE methods of HTTP.

 

图像 TweetControl:使用户能够监控特定关键字的 Twitter 提要,然后处理请求。一旦在 Twitter 源中找到特定关键字,用户就可以使用 ThingHTTP 连接到不同的 Web 服务或执行特定操作。

TweetControl: Enables user to monitor Twitter feeds for a specific keyword and then process the request. Once the specific keyword is found in the Twitter feed, the user can then use ThingHTTP to connect to a different web service or execute a specific action.

 

图像 React:当通道满足特定条件时发送推文或触发 ThingHTTP 请求。

React: Sends a tweet or trigger a ThingHTTP request when the channel meets a certain condition.

 

图像 TalkBack:将命令排队,然后允许设备根据这些排队的命令进行操作。

TalkBack: Queues up commands and then allows a device to act upon these queued commands.

 

图像 TimeControl:可以在未来的指定时间执行 ThingTweet、ThingHTTP 或 TalkBack。也可用于允许这些操作在一周的指定时间发生。

TimeControl: Can perform a ThingTweet, ThingHTTP, or a TalkBack at a specified time in the future. Can also be used to allow these actions to happen at a specified time throughout the week.

 

除了列出的应用程序之外,ThingSpeak 还允许用户使用 HTML、CSS 和 JavaScript 将 ThingSpeak 应用程序创建为插件,这些应用程序可以嵌入网站或 ThingSpeak 通道内。

In addition to the listed apps, ThingSpeak allows users to create ThingSpeak applications as plug-ins using HTML, CSS, and JavaScript, which can be embedded inside a website or inside a ThingSpeak channel.

 
实时游戏
 

ioBridge 的另一个产品是 RealTime.io。该技术与 ThingSpeak 类似,但比 ThingSpeak 更强大、更复杂。RealTime.io 是一个云平台,使任何设备能够连接到云服务和手机,以提供控制、警报、数据分析、客户洞察、远程维护和功能选择。其目的是利用 ioBridge 技术的产品制造商将能够快速、安全地将新的联网家庭产品推向市场,同时大幅削减每台联网设备的成本。

Another offering of ioBridge is RealTime.io. This technology is similar to, but more powerful and sophisticated than, ThingSpeak. RealTime.io is a cloud platform that enables any device to connect to cloud services and mobile phones to provide control, alerts, data analytics, customer insights, remote maintenance, and feature selection. The intent is that product manufacturers that leverage ioBridge’s technology will be able to quickly and securely bring new connected home products to market while slashing their cost-per-connected device.

 
图像

实时游戏

RealTime.io

 

RealTime.io App Builder 允许用户直接在 RealTime.io 云平台上构建 Web 应用程序。用户可以基于 HTML5、CSS 和 JavaScript 编写 Web 应用程序,并创建与设备、社交网络、外部 API 和 ioBridge Web 服务的交互。有浏览器内代码编辑器、JavaScript 库、应用程序更新跟踪、设备管理器以及使用现有 ioBridge 用户帐户的单点登录。RealTime.io 本身可与基于 ioBridge Iota 的设备和固件配合使用。

The RealTime.io App Builder allows the user to build web apps directly on the RealTime.io cloud platform. The user can write web applications based on HTML5, CSS, and JavaScript and create interactions with devices, social networks, external APIs, and ioBridge web services. There is an in-browser code editor, JavaScript library, app update tracking, device manager, and single sign on with existing ioBridge user accounts. RealTime.io natively works with ioBridge Iota-based devices and firmware.

 

RealTime.io 具有内置模板应用程序或自定义应用程序。模板应用程序是预构建的应用程序,用户可以开始使用,然后进行自定义。自定义应用程序允许用户上传自己的文件和图像,而无需任何入门模板。

RealTime.io has built-in template apps or custom apps. Template apps are prebuilt apps that the user can start with and then customize. Custom apps allow the user to upload their own files and images without any starter templates.

 

图 15.16显示了 ioBridge 的整体环境。

Figure 15.16 shows the overall ioBridge environment.

 
图像

图 15.16 ioBridge 环境

FIGURE 15.16 ioBridge Environment

 

15.3 关键术语

15.3 Key Terms

 

完成本章后,您应该能够定义以下术语。

After completing this chapter, you should be able to define the following terms.

 

准确性

accuracy

 

执行器

actuators

 

应用处理器

application processor

 

受限应用协议 (CoAP)

Constrained Application Protocol (CoAP)

 

受限设备

constrained device

 

专用处理器

dedicated processor

 

深度嵌入式系统

deeply embedded system

 

电子产品代码(EPC)

electronic product code (EPC)

 

嵌入式系统

embedded systems

 

雾计算

fog computing

 

信息技术(IT)

information technology (IT)

 

物联网 (IoT)

Internet of Things (IoT)

 

微控制器

microcontrollers

 

微处理器

microprocessor

 

运营技术(OT)

operational technology (OT)

 

精确

precision

 

射频识别(RFID)

radio-frequency identification (RFID)

 

射频识别阅读器

RFID reader

 

读取范围

read range

 

解决

resolution

 

无约束设备

unconstrained device

 

传感器

sensors

 

射频识别标签

RFID tag

 

收发器

transceiver

 

15.4 参考文献

15.4 References

 

CISC14b思科系统。物联网参考模型。白皮书,2014 年。http ://www.iotwf.com/

CISC14b: Cisco Systems. The Internet of Things Reference Model. White paper, 2014. http://www.iotwf.com/.

 

CISC14c思科系统。构建物联网。演示文稿,2014 年。http ://www.iotwf.com/

CISC14c: Cisco Systems. Building the Internet of Things. Presentation, 2014. http://www.iotwf.com/.

 

CISC15b思科系统。思科物联网系统:部署、加速、创新。思科白皮书,2015 年。

CISC15b: Cisco Systems. Cisco IoT System: Deploy, Accelerate, Innovate. Cisco white paper, 2015.

 

FERG11 Ferguson, J. 和 Redish, A。“利用身体的导电特性与植入式医疗设备进行无线通信。” 医疗器械专家评审,卷。6,第 4 期,2011 年。http ://www.expert-reviews.com

FERG11: Ferguson, J., and Redish, A. “Wireless Communication with Implanted Medical Devices Using the Conductive Properties of the Body.” Expert Review of Medical Devices, Vol. 6, No. 4, 2011. http://www.expert-reviews.com.

 

SEGH12 Seghal,A.,等人。“物联网中资源受限设备的管理。” IEEE 通信杂志,2012 年 12 月。

SEGH12: Seghal, A., et al. “Management of Resource Constrained Devices in the Internet of Things.” IEEE Communications Magazine, December 2012.

 

VAQU14 Vaquero, L. 和 Rodero-Merino, L.“在雾中寻找出路:全面定义雾计算”。ACM SIGCOMM 计算机通信评论,2014 年 10 月。

VAQU14: Vaquero, L., and Rodero-Merino, L. “Finding Your Way in the Fog: Towards a Comprehensive Definition of Fog Computing.” ACM SIGCOMM Computer Communication Review, October 2014.

 

第六部分:相关主题

Part VI: Related Topics

 

到目前为止,坚持阅读这篇文章的读者将会意识到其中遇到的困难、遇到的危险、犯的错误以及所做的工作。

The reader who has persevered thus far in this account will realize the difficulties that were coped with, the hazards that were encountered, the mistakes that were made, and the work that was done.

 

—— 《世界危机》,温斯顿·丘吉尔

The World Crisis, Winston Churchill

 

第 16 章:安全

CHAPTER 16: Security

 

第 17 章:新网络对 IT 职业的影响

CHAPTER 17: The Impact of the New Networking on IT Careers

 

第 16 章概述了随着现代网络的发展而出现的安全问题。单独的部分分别涉及软件定义网络 (SDN)、网络功能虚拟化 (NFV)、云和物联网安全。第 17 章对本书进行了总结,提供了有关网络专业人员职业生涯的一些观察和建议。

Chapter 16 provides an overview of security issues that have emerged with the evolution of modern networking. Separate sections deal with software-defined networking (SDN), network functions virtualization (NFV), cloud, and IoT security, respectively. Chapter 17 concludes the book with some observations and advice about careers for the network professional.

 

第 16 章安全

Chapter 16. Security

 

因此,防范陌生人施加的有害影响是野蛮谨慎的基本要求。因此,在陌生人被允许进入一个地区之前,或者至少在他们被允许与居民自由交往之前,该国的当地人常常会举行某些仪式,目的是解除陌生人的魔法力量,或者消毒。可以这么说,他们应该被污染的气氛所包围。

To guard against the baneful influence exerted by strangers is therefore an elementary dictate of savage prudence. Hence before strangers are allowed to enter a district, or at least before they are permitted to mingle freely with the inhabitants, certain ceremonies are often performed by the natives of the country for the purpose of disarming the strangers of their magical powers, or of disinfecting, so to speak, the tainted atmosphere by which they are supposed to be surrounded.

 

—— 《金枝》,詹姆斯·乔治·弗雷泽爵士

The Golden Bough, Sir James George Frazer

 

本章目标 学习完本章后,您应该能够

 

图像描述机密性、完整性、可用性、真实性和责任性的关键安全要求。

 

图像概述 SDN 安全性。

 

图像概述 NFV 安全性。

 

图像概述云安全。

 

图像概述物联网安全。

 

Chapter Objectives: After studying this chapter, you should be able to

 

Describe the key security requirements of confidentiality, integrity, availability, authenticity, and accountability.

 

Present an overview of SDN security.

 

Present an overview of NFV security.

 

Present an overview of cloud security.

 

Present an overview of IoT security.

 
 

本章介绍与本书讨论的主要网络技术相关的安全问题。本章首先简要概述与任何网络或计算机环境相关的一般安全要求。本章的其余四节分别关注软件定义网络 (SDN)、网络功能虚拟化 (NFV)、云和物联网 (IoT) 的安全性。

This chapter provides an introduction to security issues related to the main networking technologies discussed in this book. The chapter begins with a brief overview of the general security requirements that are relevant in any networking or computer environment. The remaining four sections of the chapter look at security for software-defined networking (SDN), network functions virtualization (NFV), cloud, and Internet of Things (IoT), respectively.

 

16.1 安全要求

16.1 Security Requirements

 

在本章的讨论中,首先列举保护计算机和网络数据及服务所需的一般安全功能将很有用。在大多数情况下,被广泛接受的五种基本安全功能包括以下内容(见图16.1):

It will be useful in the discussion in this chapter to start with an enumeration of the general security functions required to protect computer and network data and services. The five basic security functions that are widely accepted as required in most contexts consist of the following (see Figure 16.1):

 
图像

图 16.1基本网络和计算机安全要求

FIGURE 16.1 Essential Network and Computer Security Requirements

 

图像 保密性:该术语涵盖两个相关概念:

Confidentiality: This term covers two related concepts:

 

数据机密性:确保私人或机密信息不会向未经授权的个人提供或披露。

Data confidentiality: Ensures that private or confidential information is not made available or disclosed to unauthorized individuals.

 

隐私:确保个人控制或影响可以收集和存储与其相关的信息以及该信息可以由谁以及向谁披露。

Privacy: Ensures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed.

 

图像 完整性:该术语涵盖两个相关概念:

Integrity: This term covers two related concepts:

 

数据完整性:确保信息(存储的和传输的数据包中)和程序仅以指定和授权的方式更改。

Data integrity: Ensures that information (both stored and in transmitted packets) and programs are changed only in a specified and authorized manner.

 

系统完整性:确保系统以不受损害的方式执行其预期功能,避免故意或无意的未经授权的系统操纵。

System integrity: Ensures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system.

 

图像 可用性:确保系统及时运行,并且不会拒绝向授权用户提供服务。

Availability: Ensures that systems work promptly and service is not denied to authorized users.

 

图像 真实性:真实且能够被验证和信任的属性;对传输、消息或消息的有效性的信心鼻祖。这意味着验证用户是否是他们所说的人,以及到达系统的每个输入都来自可信来源。

Authenticity: The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator. This means verifying that users are who they say they are and that each input arriving at the system came from a trusted source.

 

图像 问责制:安全目标生成对实体的操作进行唯一追踪的要求。这支持不可否认性、威慑、故障隔离、入侵检测和预防以及事后恢复和法律行动。由于真正安全的系统还不是一个可实现的目标,因此必须能够将安全漏洞追溯到责任方。系统必须保存其活动记录,以便以后进行取证分析,以追踪安全漏洞或帮助解决交易纠纷。

Accountability: The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports nonrepudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action. Because truly secure systems are not yet an achievable goal, it must be possible to trace a security breach to a responsible party. Systems must keep records of their activities to permit later forensic analysis to trace security breaches or to aid in transaction disputes.

 

当我们讨论 SDN、NFV、云和物联网的具体安全要求时,这些概念值得牢记。有关网络安全的更全面的讨论,请参阅作者的书《密码学和网络安全》 [ STAL15b ]。

These concepts are worth keeping in mind as we discuss the specific security requirements for SDN, NFV, cloud, and IoT. For a more comprehensive discussion of network security, see the author’s book, Cryptography and Network Security [STAL15b].

 

16.2SDN安全

16.2 SDN Security

 

本节从两个角度考虑SDN安全:SDN的安全威胁,以及利用SDN增强网络安全。

This section considers SDN security from two points of view: the security threats to SDN, and the use of SDN to enhance network security.

 

SDN 的威胁

Threats to SDN

 

SDN 代表了与传统网络架构的重大背离,并且可能无法与现有网络安全方法很好地融合。SDN涉及三层架构(应用、控制、数据)和网络控制新技术。所有这些都带来了新攻击目标的可能性。

SDN represents a significant departure from traditional network architecture and may not mesh well with existing network security approaches. SDN involves a three-layer architecture (application, control, data) and new techniques for network control. All of this introduces the potential for new targets for attack.

 

图 16.2摘自 2014 年Network World文章 [ HOGG14 ],说明了 SDN 架构中安全威胁的潜在位置。威胁可能发生在三层中的任何一层或各层之间的通信中。如图所示,任何层的硬件/软件平台都是恶意软件或入侵者攻击的潜在目标。此外,SDN相关的协议和API也为安全攻击提供了新的目标。本节讨论特定于 SDN 的安全威胁。

Figure 16.2, from a 2014 Network World article [HOGG14], illustrates the potential locations of security threats in an SDN architecture. Threats can occur at any of the three layers or in the communication between layers. As shown, hardware/software platforms at any layer are potential targets for malware or intruder attacks. In addition, the protocols and application programming interfaces (APIs) related to SDN provide a new target for security attacks. This section discusses SDN-specific security threats.

 
图像

图 16.2 SDN 安全攻击面

FIGURE 16.2 SDN Security Attack Surfaces

 
数据平面
 

数据平面的关键风险领域是南向 API,例如 OpenFlow 和 Open vSwitch 数据库管理协议 (OVSDB)。该 API 是管理数据平面网络元素的强大工具,并增加了攻击面网络基础设施的安全性不再仅限于网络设备供应商。南向协议的不安全实施可能会损害网络的安全性。这可能使攻击者能够将自己的流添加到流表中,并欺骗网络上不允许的流量。例如,攻击者可能能够定义绕过防火墙的流以引入不需要的流量或提供窃听手段。更一般而言,南向 API 受到损害将允许攻击者直接控制整个网络元素。

The key area of risk with respect to the data plane is the southbound API, such as OpenFlow and Open vSwitch Database Management Protocol (OVSDB). This API is a powerful tool for managing the data plane network elements, and increases the attack surface of the network infrastructure considerably because security is no longer limited to the network equipment supplier. The security of the network could be compromised by unsecure implementation of the southbound protocol. This could enable attackers to add their own flows into the flow table and spoof traffic that would otherwise be disallowed on the network. For example, the attacker might be able to define flows that bypass a firewall to introduce unwanted traffic or provide a means of eavesdropping. More generally, compromising southbound APIs would allow attackers to directly control the network elements as a whole.

 

增强安全性的一种方法是使用传输层安全性 (TLS),它是从早期的安全套接字层 (SSL) 发展而来的。图 14.3说明了 TLS 在 TCP/IP 架构中的位置。在讨论这个架构之前,我们需要定义术语“套接字”。本质上,套接字是一种将数据定向到基于 IP 的网络中的适当应用程序的方法。主机的 IP 地址和 TCP 或 UDP 端口号的组合构成了套接字地址。从应用程序的角度来看,套接字接口是一个API。套接字接口是在 UNIX 和许多其他系统上实现的通用通信编程接口。两个应用程序通过 TCP 套接字进行通信。应用程序通过套接字地址连接到 TCP,并通过远程应用程序的套接字地址告诉 TCP 远程应用程序请求什么。

One way to enhance security is the use of Transport Layer Security (TLS), which evolved from the earlier Secure Sockets Layer (SSL). Figure 14.3 illustrates the position of TLS in the TCP/IP architecture. Before discussing this architecture, we need to define the term socket. In essence, a socket is a method of directing data to the appropriate application in a IP-based network. The combination of the IP address of the host and a TCP or UDP port number make up a socket address. From the application point of view, a socket interface is an API. The socket interface is a generic communication programming interface implemented on UNIX and many other systems. Two applications communicate through TCP sockets. An application connects to TCP through a socket address and tells TCP what remote application is requested by means of the remote application’s socket address.

 
图像

图 16.3 TLS 在 TCP/IP 架构中的作用

FIGURE 16.3 The Role of TLS in the TCP/IP Architecture

 

部署 TLS 后,应用程序将拥有 TLS 套接字地址并与远程应用程序的 TLS 套接字进行通信。TLS 提供的安全功能对于应用程序和 TCP 都是透明的。因此,TCP 和应用程序都不需要修改来调用 TLS 的安全功能。如图14.3所示,TLS不仅支持HTTP,还支持任何其他使用TCP的应用程序。

With TLS in place, an application has a TLS socket address and communicates to the TLS socket of the remote application. The security functions provided by TLS are transparent to the application and also to TCP. Thus, neither TCP nor the application needs to be modified to invoke the security features of TLS. As shown in Figure 14.3, TLS supports not only HTTP but also any other application that uses TCP.

 

TLS 提供三类安全性:

TLS provides three categories of security:

 

图像 机密性:两个应用程序之间传递的所有数据(例如,两个 HTTP 模块)都经过加密,因此无法被窃听。

Confidentiality: All data that pass between the two applications (for example, the two HTTP modules) are encrypted so that they cannot be eavesdropped.

 

图像 消息完整性:TLS 确保消息在途中不会被更改或替换。

Message integrity: TLS ensures that the message is not altered or substituted for en route.

 

图像 身份验证:TLS 可以使用公钥证书验证交易中一个或两个合作伙伴的身份。这有助于防止恶意控制器或攻击者尝试将恶意流实例化到网络设备中。

Authentication: TLS can validate the identity of one or both partners to the exchange using public-key certificates. This helps prevent against a rogue controller or attacker trying to instantiate rogue flows into the network devices.

 

TLS 由两个阶段组成:握手和数据传输。在握手期间,双方执行身份验证功能并建立用于数据传输的加密密钥。在数据传输过程中,双方使用加密密钥对所有传输的数据进行加密。

TLS consists of two phases: handshake and data transfer. During handshake, the two sides perform an authentication function and establish an encryption key to be used for data transfer. During data transfer, the two sides use the encryption key to encrypt all transmitted data.

 

截至撰写本文时,最新版本的 OpenFlow 交换机规范(版本 1.5.1,2015 年 3 月 26 日)指出:

The latest version of the OpenFlow Switch Specification, at the time of this writing (Version 1.5.1, March 26, 2015) states:

 

“在数据路径和 OpenFlow 通道之间,接口是特定于实现的,但是所有 OpenFlow 通道消息必须根据 OpenFlow 交换机协议进行格式化。OpenFlow 通道通常使用 TLS 加密,但也可以直接通过 TCP 运行。”

“Between the datapath and the OpenFlow channel, the interface is implementation-specific, however all OpenFlow channel messages must be formatted according to the OpenFlow switch protocol. The OpenFlow channel is usually encrypted using TLS, but may be run directly over TCP.”

 

然而,由于不保证南向通信通道(控制平面和数据平面之间)的安全就不可能保证数据平面的安全,因此 TLS 或等效功能是必要的。

However, because it is impossible to secure the data plane without securing the southbound communication channel (between control plane and data plane), TLS or an equivalent capability is necessary.

 
控制平面
 

通过SDN,网络流量的整体管理、编排、路由和其他方面都集中在单个控制器或几个分布式控制器中。如果攻击者能够成功渗透控制器,则攻击者可以获得对整个网络的相当大的控制权。因此,SDN控制器是一个高价值的目标,需要高水平的保护。

With SDN, the overall management, orchestration, routing, and other aspects of network traffic flow are concentrated in a single controller or a few distributed controllers. If an attacker can successfully penetrate a controller, the attacker can gain a considerable measure of control over the entire network. So, the SDN controller is a high-value target that needs a high level of protection.

 

控制器的保护涉及常用的计算机安全技术,包括以下内容:

Protection of the controller involves the usual repertoire of computer security techniques, including the following:

 

图像预防/保护分布式拒绝服务 (DDoS) 攻击。高可用性控制器架构可以通过使用冗余控制器来弥补其他控制器的损失,从而在一定程度上减轻 DDoS 攻击。

Prevention/protection against distributed denial-of-service (DDoS) attacks. A high-availability controller architecture could go some way to mitigating a DDoS attack by using redundant controllers to make up for the loss of other controllers.

 

图像访问控制。可以采用多种标准访问控制技术,包括基于角色的访问控制(RBAC)和基于属性的访问控制(ABAC)。

Access control. A number of standard access control technologies can be employed, including role-based access control (RBAC) and attribute-based access control (ABAC).

 

图像防病毒/防蠕虫技术。

Antivirus/antiworm techniques.

 

图像防火墙、入侵检测系统 (IDS) 和入侵防御系统 (IPS)。

Firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS).

 
应用平面
 

北向 API和协议可能成为攻击者的目标。此处的成功攻击可能使攻击者获得对网络基础设施的控制。因此,该领域的 SDN 安全重点是防止未经授权的用户和应用程序利用控制器。此外,应用程序本身也是一个脆弱点。如果攻击者可以获得应用程序的控制权,并且该应用程序随后通过控制平面进行身份验证,则可能造成的损害是相当大的。具有广泛权限的经过身份验证的应用程序可以对网络的配置和操作进行相当大的控制。

Northbound APIs and protocols present a likely target for attackers. A successful attack here could allow the attacker to gain control of the networking infrastructure. Thus, SDN security in this area focuses on preventing unauthorized users and applications from exploiting the controller. In addition, the applications themselves are a vulnerable point. If an attacker can gain control of an application and if that application is then authenticated to the control plane, the amount of damage that can be done is considerable. An authenticated application with a broad range of privileges can exercise considerable control over the configuration and operation of the network.

 

应对这些威胁有两个方面:需要机制来验证应用程序对控制平面的访问并防止经过身份验证的应用程序被黑客攻击。为了应对涉及应用程序和控制器之间通信的整个身份验证过程中的威胁,需要通过 TLS 或等效功能来保护通信。为了保护应用程序,需要对它们进行安全编码,并且需要保护应用程序平台免受黑客攻击。

There are two aspects of countering these threats: Mechanisms are needed to authenticate an application’s access to the control plane and prevent this authenticated application from being hacked. To counter threats throughout the authentication process involving communication between applications and the controller, the communication needs to be secured by TLS or an equivalent functionality. To protect applications, they need to be coded securely and the application platform needs to be secured against hacking.

 

软件定义的安全

Software-Defined Security

 

尽管SDN给网络设计者和管理者带来了新的安全挑战,但它也提供了一个为网络实施一致、集中管理的安全策略和机制的平台。SDN 允许开发能够提供和编排安全服务和机制的 SDN 安全控制器和 SDN 安全应用程序。

Although SDN presents new security challenges for network designers and managers, it also provides a platform for implementing consistent, centrally managed security policies and mechanisms for the network. SDN allows the development of SDN security controllers and SDN security applications that can provision and orchestrate security services and mechanisms.

 

为了安全管理,安全控制器需要为相关应用提供安全的API。例如,当应用程序创建虚拟机 (VM) 并配置流量路径时,它需要能够将虚拟组件与适当的安全功能相关联,例如 IDS、IPS 以及安全信息和事件管理 (SIEM)。

For security management, security controllers need to provide a secure API for relevant applications. For example, as an application creates virtual machines (VMs) and configures traffic paths, it needs to be able to associate the virtual components with the appropriate security capabilities, such as IDS, IPS, and security information and event management (SIEM).

 

事实上,安全需求可能成为部署SDN的关键推动因素之一。一方面,主要的网络趋势给系统和网络管理员带来了越来越大的负担,包括:

In fact, security demands may turn out to be one of the key motivating factors for deploying SDN. On the one hand, key networking trends place an increasing burden on system and networking administrators, including the following:

 

图像网络流量的增加

The increase in network traffic volume

 

图像将虚拟机用于服务器、存储和网络设备

The use of VMs for servers, storage, and networking devices

 

图像云计算

Cloud computing

 

图像数据中心规模和复杂性的增长

The growth in the size and complexity of data centers

 

图像物联网应用的增长

The growth of IoT applications

 

另一方面,恶意软件的敏捷性和复杂性日益增强。因此,IT人力成为主要的安全瓶颈。安全经理无法跟上事件和警报不断增长的速度,并且需要微调安全控制以做出响应。SDN 使安全管理人员能够通过智能事件检测和自动响应来弥补这种响应资源差距。

On the other hand, there is an increasing agility and sophistication of malware. Therefore, IT manpower becomes a major security bottleneck. Security managers cannot keep up with the increasing pace of incidents and alerts and the need to fine-tune security controls in response. SDN enables security managers to bridge this response resource gap through intelligent incident detection and automated response.

 

使用支持 SDN 的自动化工具本身就有好处,但这种好处还可以通过精细响应的能力(例如每个流、每个应用程序或每个用户)来增强。

The use of SDN-enabled automated tools has a benefit in itself, but this is augmented by the ability to respond on a granular basis, such as per flow, per application, or per user.

 

各种各样的安全应用程序已经开发出来,而且更多的应用程序正在开发中。一个很好的例子是 OpenDaylight 的 DDoS 应用程序,第 6 章SDN 应用程序平面”中对此进行了描述。

A wide variety of security applications has been developed with more on the way. A good example is OpenDaylight’s DDoS application, described in Chapter 6, “SDN Application Plane.”

 

16.3 NFV安全

16.3 NFV Security

 

NFV 极大地改变了网络的设计、构建和管理方式。NFV 将网络功能和网络相关功能从专有硬件中移出,并将它们作为虚拟机放置在服务器上,可以在物理网络环境中需要的地方进行部署。NFV 的安全挑战在于它增加了攻击面并增加了安全复杂性。

NFV dramatically changes how networks are designed, built, and managed. NFV moves network functions and network-associated functions from proprietary hardware and places them as VMs on servers that can be deployed where needed within the physical network environment. The security challenge with NFV is that it increases the attack surface and increases security complexity.

 

攻击面

Attack Surfaces

 

要了解这一挑战,请考虑图 16.4。这重复了图 7.8 ,并指出了潜在的攻击面,正如 Nakina Systems [ NAKI15 ]的白皮书中所建议的那样。与传统的基于硬件的网络相比,NFV 模糊了物理网络功能之间存在的硬边界,使定义和管理安全角色、职责和特权级别变得更加复杂。

To see this challenge, consider Figure 16.4. This repeats Figure 7.8 and indicates potential attack surfaces, as suggested in a white paper from Nakina Systems [NAKI15]. In contrast to traditional hardware-based networks, NFV blurs the hard boundaries that existed between physical network functions, making defining and administering security roles, responsibilities, and privilege levels more complex.

 
图像

图 16.4潜在的 NFV 攻击面

FIGURE 16.4 Potential NFV Attack Surfaces

 

安全需要解决多个级别和域及其交互,包括以下内容:

Security needs to address multiple levels and domains and their interactions, including the following:

 

图像 NFV基础设施(NFVI):这是底层网络、计算和存储系统的领域,支持虚拟计算和存储以及虚拟网络。

The NFV infrastructure (NFVI): This is the domain of the underlying network, compute, and storage systems, supporting virtual computing and storage, and virtual networks.

 

图像 虚拟网络功能 (VNF):这些是在 NFVI VM 上运行的网络功能。

Virtual network functions (VNF): These are the network functions running on NFVI VMs.

 

图像 MANO 和 OSS/BSS:用户使用 NFV 管理和编排 (MANO) 设施以及 OSS/BSS 设施来管理网络和编排资源。

MANO and OSS/BSS: Users employ the NFV management and orchestration (MANO) facility as well as OSS/BSS facilities to manage the network and orchestrate resources.

 

图像 管理接口:这些是 NFV 部署的主要域之间的关键接口。

Management interfaces: These are the critical interfaces between major domains of an NFV deployment.

 

一个关键的安全问题是系统管理控制哪些用户和/或系统可以查看、设置或更改配置参数并影响网络策略。考虑到 NFVI 和 VNF 之间的相互依赖性以及整体服务性能和可用性,这一点尤其重要。此外,由于多个自动化软件系统访问同一共享网络资源池,因此确保安全权限和策略不冲突至关重要。软件支持的配置流程可能会导致编排漏洞,包括网络配置漏洞和恶意配置。

A key security concern is for the system administration to control which users and/or systems can view, set, or change configuration parameters and effect network policies. This is especially important given the interdependencies between NFVIs and VNFs, and overall service performance and availability. Moreover, as multiple automated software systems access the same shared pool of network resources, ensuring that security permissions and policies do not conflict will be crucial. Software-enabled provisioning processes can lead to orchestration vulnerabilities including network configuration exploits and malicious configurations.

 

图 16.4从逻辑角度描述了潜在的 NFV 攻击面。另一个有用的角度是从物理和软件的角度来看。我们特别关心硬件和软件的不同层次以及实体是什么控制并负责每个级别的每个要素。表 16.1重复了第 7 章网络功能虚拟化:概念和架构”中的表 7.4,总结了不同的部署场景,包括物理位置(建筑物)、服务器硬件、管理程序虚拟化软件和 VNF。下面的图 16.5说明了这些关键要素。

Figure 16.4 depicts potential NFV attack surfaces from a logical point of view. Another useful perspective is from the physical and software point of view. In particular, we are concerned with the different levels of hardware and software and what entity is in control and responsible for each element at each level. Table 16.1, which repeats Table 7.4 from Chapter 7, “Network Functions Virtualization: Concepts and Architecture,” summarizes different deployment scenarios that include the physical location (building), the server hardware, the hypervisor virtualizing software, and the VNFs. Figure 16.5, which follows, illustrates these key elements.

 
图像

图 16.5 NFV 部署场景元素

FIGURE 16.5 NFV Deployment Scenario Elements

 
图像

注意:不同的字母代表不同的公司或组织,并选择代表不同的角色(例如,H = 托管提供商、N = 网络运营商、P = 公共、C = 客户)。编号的网络运营商(N1、N2 等)代表多个单独的托管网络运营商。

Note: The different letters represent different companies or organizations, and are chosen to represent different roles (for example, H = hosting provider, N = network operator, P = public, C = customer). The numbered network operators (N1, N2, and so on) represent multiple individual hosted network operators.

 

表 16.1 NFV 部署场景

TABLE 16.1 NFV Deployment Scenarios

 

图 16.5中所示的每个级别(建筑、主机硬件、虚拟机管理程序、VNF)都是潜在的攻击面。但设计一套足够的安全机制由于不同各方可能在各个级别运作,政策变得复杂。因此,安全要求需要考虑到这一点。此外,如果多方共享使用较低级别的资源,则需要采取适当的保护措施。例如,如果来自不同用户的多个VNF使用相同的管理程序在同一台物理服务器上运行,那么分配给每个用户的资源(例如,主内存、辅助内存、I/O端口)的隔离就成为一个设计问题。

Each of the levels indicated in Figure 16.5 (building, host hardware, hypervisor, VNFs) is a potential attack surface. But the design of an adequate set of security mechanisms and policies is complicated by the fact that different parties may operate at each of the levels. Therefore, the security requirements need to take this into account. Further, if there is a shared use of lower-level resources by multiple parties, then appropriate protection measures are needed. For example, if multiple VNFs from different users are running on the same physical server using the same hypervisor, then isolation of resources (for example, main memory, secondary memory, I/O ports) assigned to each user becomes a design issue.

 

ETSI 安全视角

ETSI Security Perspective

 

欧洲电信标准协会 (ETSI) 是制定 NFV 标准的牵头组织,已发布四份与安全相关的文件,作为其标准套件的一部分。根据 ETSI 的定义,每个文件的范围和应用领域如下:

The European Telecommunications Standards Institute (ETSI), which is the lead organization in developing NFV standards, has issued four documents relating to security as part of their standards suite. The scope and field of application of each document, as defined by ETSI, is as follows:

 

图像 网络功能虚拟化安全;问题陈述 (NFV-SEC 001):充分定义 NFV 以了解其安全影响。提供部署场景的参考列表。识别 NFV 带来的新安全漏洞。

NFV Security; Problem Statement (NFV-SEC 001): Define NFV sufficiently to understand its security impact. Provide a reference list of deployment scenarios. Identify new security vulnerabilities resulting from NFV.

 

图像 网络功能虚拟化安全;对与 NFV 相关的管理软件中的安全功能进行编目 (NFV-SEC 002):旨在对与 NFV 相关的管理软件中的安全功能进行编目。它涵盖了 OpenStack 作为第一个案例研究。最初的交付成果是 OpenStack 模块的目录,这些模块提供安全服务(例如身份验证、授权、机密性、完整性保护、日志记录和审计),并包含其各自依赖关系的完整图表,直至实现加密协议和算法的模块。一旦建立了依赖关系图,就可以就哪些选项适合 NFV 部署提出建议。

NFV Security; Cataloguing Security Features in Management Software Relevant to NFV (NFV-SEC 002): Aims to catalogue security features in management software relevant to NFV. It covers OpenStack as the first case study. The initial deliverable is a catalogue of OpenStack modules that provide security services (such as authentication, authorization, confidentiality, integrity protection, logging, and auditing) with the full graphs of their respective dependencies down to the modules that implement cryptographic protocols and algorithms. Once the dependency graph is established, recommendations could be made on which options are appropriate for NFV deployment.

 

图像 网络功能虚拟化安全;安全和信任指南 (NFV-SEC 003):定义安全和信任技术、实践和流程与非 NFV 系统和操作具有不同要求的考虑领域。为支持 NFV 系统和操作并与之交互的环境提供指导,但避免重新定义任何非 NFV 特定的安全注意事项。

NFV Security; Security and Trust Guidance (NFV-SEC 003): Define areas of consideration where security and trust technologies, practices, and processes have different requirements than non-NFV systems and operations. Supply guidance for the environment that supports and interfaces with NFV systems and operations, but avoid redefining any security considerations that are not specific to NFV.

 

图像 网络功能虚拟化安全;隐私和监管;关于合法拦截 (LI) 影响的报告 (NFV-SEC 004):确定 NFV 需要提供的支持 LI 的必要功能,并确定在 NFV 中提供 LI 的挑战。

NFV Security; Privacy and Regulation; Report on Lawful Interception (LI) Implications (NFV-SEC 004): Identifies the necessary capabilities to be provided by NFV to support LI and identifies the challenges of providing LI in an NFV.

 

ETSI 文档对包含 VNF 的网络的所有安全威胁集进行了分类,如图16.6所示并在下面的列表中进行了描述。

The ETSI documents classify the set of all security threats to a network comprising VNFs as illustrated in Figure 16.6 and described in the list that follows.

 
图像

图 16.6 NFV 网络环境中的威胁分类

FIGURE 16.6 Classification of Threats in an NFV Networking Environment

 

图像 一般虚拟化威胁:任何虚拟化实施所面临的威胁,例如无法隔离来宾用户。

Generic virtualization threats: Threats faced by any virtualization implementation, such as failure to isolate guest users.

 

图像 通用网络威胁:特定于虚拟化之前的物理网络功能系统的威胁(例如,DDoS、防火墙破坏或绕过)。

Generic networking threats: Threats specific to the system of physical network functions prior to virtualization (for example, DDoS, firewall breach or bypass).

 

图像 特定于 NFV 的威胁:虚拟化技术与网络相结合而产生的威胁。

NFV-specific threats: Threats that arise with the combining of virtualization technology and networking.

 

特定于 NFV 的威胁示例如下:

Examples of NFV-specific threats include the following:

 

图像使用虚拟机管理程序可能会引入额外的安全漏洞。虚拟机管理程序的第三方认证应有助于阐明其安全属性。一般来说,为了减少正在使用的虚拟机管理程序的漏洞,必须遵循强化和补丁管理的最佳实践。为了确保执行正确的虚拟机管理程序,需要在启动时通过安全启动机制对虚拟机管理程序进行身份验证。

The use of hypervisors may introduce additional security vulnerabilities. Third-party certification of hypervisors should help shed light on their security properties. In general, to reduce the vulnerabilities of the hypervisors in use, it is essential to follow the best practices on hardening and patch management. To ensure that the right hypervisor is being executed calls for authenticating the hypervisor at the boot time through secure boot mechanisms.

 

图像共享存储和共享网络的使用也可能会增加其他方面的漏洞。

The usage of shared storage and shared networking may also add additional dimensions of vulnerability.

 

图像NFV 端到端架构组件(例如硬件资源、VNF 和管理系统)之间的互连性暴露了新的接口,除非受到保护,否则可能会产生新的安全威胁。

The interconnectivity among NFV end-to-end architectural components (for example, hardware resources, VNFs, and management systems) exposes new interfaces that, unless protected, can create new security threats.

 

图像在 NFV 基础设施上执行不同的 VNF 也会产生额外的安全问题,特别是在 VNF 没有与其他 VNF 正确隔离的情况下。

The execution of diverse VNFs over the NFV infrastructure can also create additional security issues, in particular if VNFs are not properly isolated from others.

 

ETSI 还发现,虚拟化可以通过使用虚拟机管理程序自省和其他技术来消除一些并减轻非虚拟化网络功能固有的其他威胁。虚拟机管理程序自省已成为虚拟化环境中的常见安全技术。基于虚拟机管理程序的自省可以帮助检测对虚拟机和来宾操作系统的攻击,即使来宾操作系统被篡改也是如此。内省是通过监视内存、程序执行、数据文件访问和网络流量来进行的。它尤其可以阻止内核级 rootkit (KLR)。

ETSI also makes the observation that virtualization can eliminate some and mitigate other threats inherent to nonvirtualized network functions through the use of hypervisor introspection and other techniques. Hypervisor introspection has become a common security technique in virtualized environments. Hypervisor-based introspection can help detect attacks on VMs and guest operating systems, even when the guest operating systems are tampered with. Introspection is through monitoring of memory, program execution, access to data files, and network traffic. It can, in particular, thwart kernel-level rootkits (KLRs).

 

安全技术

Security Techniques

 

检查 Hawilo 等人的论文中提供的略有不同的观点将很有用。[ HAWI14 ]。本文将 NFV 环境分为三个功能域,并指定每个功能域的风险和潜在解决方案,如表 16.2中总结的那样。

It will be useful to examine a somewhat different perspective, provided in a paper by Hawilo, et al. [HAWI14]. This paper classifies the NFV environment into three functional domains, and specifies the risks and potential solutions for each as summarized in Table 16.2.

 
图像

表 16.2 NFV 安全风险

TABLE 16.2 NFV Security Risks

 

16.4 云安全

16.4 Cloud Security

 

云安全有很多方面,提供云安全措施的方法也有很多。云安全问题范围的一个很好的例子可以在 NIST 云安全指南中找到,该指南在 SP-800-144公共云计算安全和隐私指南(2011 年 12 月)中指定,并在表 16.3中列出。因此,对云安全的全面讨论远远超出了本文的范围。本章的。在本节中,我们将讨论与本书重点相关的一些重要的云安全主题。

There are numerous aspects to cloud security and numerous approaches to providing cloud security measures. A good example of the scope of cloud security concerns and issues is seen in the NIST guidelines for cloud security, specified in SP-800-144, Guidelines on Security and Privacy in Public Cloud Computing, December 2011, and listed in Table 16.3. Thus, a full discussion of cloud security is well beyond the scope of this chapter. In this section, we discuss some important cloud security topics related to the focus of this book.

 
图像
图像
图像

表 16.3 NIST 关于云安全和隐私问题的指南和建议

TABLE 16.3 NIST Guidelines on Cloud Security and Privacy Issues and Recommendations

 

本节首先概述关键的云安全问题和担忧。接下来讨论特定的云安全风险及其相应的对策。下一个主题涉及最重要的云安全问题之一:保护云中存储的数据。然后讨论介绍了云安全即服务的概念。最后一小节着眼于与云安全相关的技术、操作和管理控制功能。

The section begins with an overview of key cloud security issues and concerns. This is followed by a discussion of specific cloud security risks and their corresponding countermeasures. The next topic deals with one of the most important cloud security issues: the protection of data stored in the cloud. The discussion then introduces the concept of cloud security as a service. A final subsection looks at technical, operational, and management control functions related to cloud security.

 

安全问题和担忧

Security Issues and Concerns

 

安全性对于任何计算基础设施都很重要。公司不遗余力地保护本地计算系统,因此在使用云服务增强或替换本地系统时,安全性成为主要考虑因素也就不足为奇了。消除安全问题通常是进一步讨论将组织的部分或全部计算架构迁移到云的先决条件。可用性是另一个主要问题:“如果我们无法访问互联网,我们将如何运作?如果我们的客户无法访问云下订单怎么办?” 是常见问题。

Security is important to any computing infrastructure. Companies go to great lengths to secure on-premises computing systems, so it is not surprising that security looms as a major consideration when augmenting or replacing on-premises systems with cloud services. Allaying security concerns is frequently a prerequisite for further discussions about migrating part or all of an organization’s computing architecture to the cloud. Availability is another major concern: “How will we operate if we can’t access the Internet? What if our customers can’t access the cloud to place orders?” are common questions.

 

一般来说,只有当企业考虑将核心事务处理(例如企业资源规划(ERP)系统和其他关键任务应用程序)迁移到云时,才会出现此类问题。传统上,公司不太关心将电子邮件和工资单等高维护应用程序迁移到云服务提供商,即使此类应用程序包含敏感信息。

Generally speaking, such questions only arise when businesses contemplating moving core transaction processing, such as enterprise resource planning (ERP) systems, and other mission critical applications to the cloud. Companies have traditionally demonstrated less concern about migrating high maintenance applications such as e-mail and payroll to cloud service providers even though such applications hold sensitive information.

 

可审计性是许多组织关注的另一个问题,尤其是那些必须遵守《萨班斯-奥克斯利法案》和/或健康与公共服务健康保险流通与责任法案 (HIPAA) 法规的组织。无论数据是存储在本地还是移动到云端,都必须确保其数据的可审计性。

Auditability is another concern for many organizations, especially those who must comply with Sarbanes-Oxley and/or Health and Human Services Health Insurance Portability and Accountability Act (HIPAA) regulations. The auditability of their data must be ensured whether it is stored on-premises or moved to the cloud.

 

在将关键基础设施迁移到云之前,企业应该对来自云外部和内部的安全威胁进行尽职调查。与保护云免受外部威胁相关的许多安全问题与传统上集中式数据中心面临的安全问题类似。然而,在云中,确保足够安全性的责任通常由用户、供应商以及用户依赖的安全敏感软件或配置的任何第三方公司共同承担。云用户对应用程序级安全负责。云供应商负责物理安全和一些软件安全,例如强制执行外部防火墙策略。软件堆栈中间层的安全性由用户和供应商共享。

Before moving critical infrastructure to the cloud, businesses should perform due diligence on security threats both from outside and inside the cloud. Many of the security issues associated with protecting clouds from outside threats are similar to those that have traditionally faced centralized data centers. In the cloud, however, responsibility for assuring adequate security is frequently shared among users, vendors, and any third-party firms that users rely on for security-sensitive software or configurations. Cloud users are responsible for application-level security. Cloud vendors are responsible for physical security and some software security such as enforcing external firewall policies. Security for intermediate layers of the software stack is shared between users and vendors.

 

考虑迁移到云的公司可能会忽视的一个安全风险是与其他云用户共享供应商资源所带来的安全风险。云提供商必须防范用户的盗窃或拒绝服务攻击,并且需要保护用户免受彼此的攻击。虚拟化可以成为解决这些潜在风险的一种强大机制,因为它可以防止用户相互攻击或攻击提供商基础设施的大多数尝试。然而,并非所有资源都是虚拟化的,也并非所有虚拟化环境都没有错误。不正确的虚拟化可能允许用户代码访问提供商基础设施的敏感部分或其他用户的资源。再次强调,这些安全问题并不是云所独有的,并且与管理非云数据中心所涉及的问题类似。

A security risk that can be overlooked by companies considering a migration to the cloud is that posed by sharing vendor resources with other cloud users. Cloud providers must guard against theft or denial-of-service attacks by their users and users need to be protected from one another. Virtualization can be a powerful mechanism for addressing these potential risks because it protects against most attempts by users to attack one another or the provider’s infrastructure. However, not all resources are virtualized and not all virtualization environments are bug-free. Incorrect virtualization may allow user code access to sensitive portions of the provider’s infrastructure or the resources of other users. Once again, these security issues are not unique to the cloud and are similar to those involved in managing noncloud data centers, where different applications need to be protected from one another.

 

企业应考虑的另一个安全问题是订户受到提供商保护的程度,特别是在无意的数据丢失方面。例如,如果提供商基础设施得到改进,退役或更换的硬件会怎样?很容易想象硬盘在没有正确擦除用户数据的情况下被丢弃。也很容易想象权限错误或错误会导致未经授权的用户看到订户数据。用户级加密可能是订户的重要自助机制,但企业应确保其他保护措施到位,以避免无意中的数据丢失。

Another security concern that businesses should consider is the extent to which subscribers are protected against the provider, especially in the area of inadvertent data loss. For example, in the event of provider infrastructure improvements, what happens to hardware that is retired or replaced? It is easy to imagine a hard disk being disposed of without being properly wiped clean of subscriber data. It is also easy to imagine permissions bugs or errors that make subscriber data visible to unauthorized users. User-level encryption may be an important self-help mechanism for subscribers, but businesses should ensure that other protections are in place to avoid inadvertent data loss.

 

云安全风险及对策

Cloud Security Risks and Countermeasures

 

一般来说,云计算中的安全控制与任何 IT 环境中的安全控制类似。然而,由于用于支持云服务的运营模型和技术,云计算可能会带来云环境特有的风险。这方面的基本概念是,企业失去了对资源、服务和应用程序的大量控制,但必须保持对安全和隐私策略的责任。

In general terms, security controls in cloud computing are similar to the security controls in any IT environment. However, because of the operational models and technologies used to enable cloud service, cloud computing may present risks that are specific to the cloud environment. The essential concept in this regard is that the enterprise loses a substantial amount of control over resources, services, and applications but must maintain accountability for security and privacy policies.

 

在 2013 年报告(“臭名昭著的九大云计算主要威胁”)中,云安全联盟 [ CSA13 ] 列出了以下主要的云特定安全威胁:

In a 2013 report (The Notorious Nine Cloud Computing Top Threats), The Cloud Security Alliance [CSA13] lists the following as the top cloud-specific security threats:

 

图像 云计算的滥用和恶意使用:对于许多云提供商(CP)来说,注册和开始使用云服务相对容易,有些甚至提供免费的有限试用期。这使得攻击者能够进入云内部进行各种攻击,例如垃圾邮件、恶意代码攻击和拒绝服务。传统上,平台即服务 (PaaS) 提供商受到此类攻击的影响最大;然而,最近的证据表明,黑客也开始将基础设施即服务 (IaaS) 供应商作为目标。预防此类攻击的责任在于 CP,但云服务客户端必须监控其数据和资源的活动,以检测任何恶意行为。

Abuse and nefarious use of cloud computing: For many cloud providers (CPs), it is relatively easy to register and begin using cloud services, some even offering free limited trial periods. This enables attackers to get inside the cloud to conduct various attacks, such as spamming, malicious code attacks, and denial of service. Platform as a Service (PaaS) providers have traditionally suffered most from this kind of attacks; however, recent evidence shows that hackers have begun to target Infrastructure as a Service (IaaS) vendors as well. The burden is on the CP to protect against such attacks, but cloud service clients must monitor activity with respect to their data and resources to detect any malicious behavior.

 

对策包括(1)更严格的初始注册和验证流程;(2)加强信用卡欺诈监控和协调;(3)全面检查客户网络流量;(4)监控自有网络区块的公共黑名单。

Countermeasures include (1) stricter initial registration and validation processes, (2) enhanced credit card fraud monitoring and coordination, (3) comprehensive inspection of customer network traffic, and (4) monitoring public blacklists for one’s own network blocks.

 

图像 不安全的接口和 API:CP 公开了一组软件接口或 API,客户使用这些接口或 API 来管理云服务并与云服务交互。通用云服务的安全性和可用性取决于这些基础API的安全性。从身份验证和访问控制到加密和活动监控,这些接口的设计必须能够防止意外和恶意的规避策略的尝试。

Unsecure interfaces and APIs: CPs expose a set of software interfaces or APIs that customers use to manage and interact with cloud services. The security and availability of general cloud services is dependent upon the security of these basic APIs. From authentication and access control to encryption and activity monitoring, these interfaces must be designed to protect against both accidental and malicious attempts to circumvent policy.

 

对策包括(1)分析 CP 接口的安全模型,(2)确保与加密传输相结合实施强身份验证和访问控制,以及(3)了解与 API 相关的依赖链。

Countermeasures include (1) analyzing the security model of CP interfaces, (2) ensuring that strong authentication and access controls are implemented in concert with encrypted transmission, and (3) understanding the dependency chain associated with the API.

 

图像 恶意内部人员:在云计算范式下,组织放弃了对安全许多方面的直接控制,从而赋予了 CP 前所未有的信任级别。一个严重的担忧是恶意内部活动的风险。云架构需要某些风险极高的角色。示例包括 CP 系统管理员和托管安全服务提供商。

Malicious insiders: Under the cloud computing paradigm, an organization relinquishes direct control over many aspects of security and, in doing so, confers an unprecedented level of trust onto the CP. One grave concern is the risk of malicious insider activity. Cloud architectures necessitate certain roles that are extremely high-risk. Examples include CP system administrators and managed security service providers.

 

对策包括(1)执行严格的供应链管理并进行全面的供应商评估,(2)将人力资源要求明确为法律合同的一部分,(3)要求整体信息安全和管理实践(以及合规报告)的透明度, (4) 确定安全漏洞通知流程。

Countermeasures include (1) enforcing strict supply chain management and conduct a comprehensive supplier assessment, (2) specifying human resource requirements as part of legal contract, (3) requiring transparency into overall information security and management practices (as well as compliance reporting), and (4) determining security breach notification processes.

 

图像 共享技术问题:IaaS 供应商通过共享基础设施以可扩展的方式提供服务。通常,构成此基础设施的底层组件(CPU 缓存、GPU 等)并非旨在为多租户架构提供强大的隔离属性。CP 通常通过为各个客户端使用隔离的虚拟机来应对此风险。这种方法仍然容易受到内部和外部的攻击,因此只能是整体安全策略的一部分。

Shared technology issues: IaaS vendors deliver their services in a scalable way by sharing infrastructure. Often, the underlying components that make up this infrastructure (CPU caches, GPUs, and so on) were not designed to offer strong isolation properties for a multitenant architecture. CPs typically approach this risk by the use of isolated VMs for individual clients. This approach is still vulnerable to attack, by both insiders and outsiders, and so can only be a part of an overall security strategy.

 

对策包括 (1) 实施安装/配置的安全最佳实践,(2) 监视环境以防止未经授权的更改/活动,(3) 促进管理访问和操作的强大身份验证和访问控制,(4) 强制执行服务级别协议 (SLA)用于修补和漏洞修复,以及 (5) 进行漏洞扫描和配置审核。

Countermeasures include (1) implementing security best practices for installation/configuration, (2) monitoring environment for unauthorized changes/activity, (3) promoting strong authentication and access control for administrative access and operations, (4) enforcing service level agreements (SLAs) for patching and vulnerability remediation, and (5) conducting vulnerability scanning and configuration audits.

 

图像 数据丢失或泄漏:对于许多客户来说,安全漏洞造成的最具破坏性的影响是数据丢失或泄漏。我们将在下一节中讨论这个问题。

Data loss or leakage: For many clients, the most devastating impact from a security breach is the loss or leakage of data. We address this issue in the next section.

 

对策包括 (1) 实施强大的 API 访问控制,(2) 加密并保护传输和静态数据的完整性,(3) 在设计和运行时分析数据保护,以及 (4) 实施强大的密钥生成、存储和保护管理和销毁做法。

Countermeasures include (1) implementing strong API access control, (2) encrypting and protecting integrity of data in transit and at rest, (3) analyzing data protection at both design and run time, and (4) implementing strong key generation, storage and management, and destruction practices.

 

图像 帐户或服务劫持:帐户和服务劫持(通常使用被盗的凭据)仍然是最大的威胁。通过窃取凭证,攻击者通常可以访问已部署的云计算服务的关键区域,从而允许他们会损害这些服务的机密性、完整性和可用性。

Account or service hijacking: Account and service hijacking, usually with stolen credentials, remains a top threat. With stolen credentials, attackers can often access critical areas of deployed cloud computing services, allowing them to compromise the confidentiality, integrity, and availability of those services.

 

对策包括 (1) 禁止在用户和服务之间共享帐户凭据,(2) 尽可能利用强大的双因素身份验证技术,(3) 采用主动监控来检测未经授权的活动,以及 (4) 了解 CP 安全策略和 SLA 。

Countermeasures include (1) prohibiting the sharing of account credentials between users and services, (2) leveraging strong two-factor authentication techniques where possible, (3) employing proactive monitoring to detect unauthorized activity, and (4) understanding CP security policies and SLAs.

 

图像 未知的风险状况:在使用云基础设施时,客户必须将许多可能影响安全的问题的控制权交给云提供商。因此,客户必须关注并明确定义风险管理所涉及的角色和责任。例如,员工可能在 CP 部署应用程序和数据资源,而不遵守隐私、安全和监督的正常政策和程序。

Unknown risk profile: In using cloud infrastructures, the client necessarily cedes control to the cloud provider on a number of issues that may affect security. Thus the client must pay attention to and clearly define the roles and responsibilities involved for managing risks. For example, employees may deploy applications and data resources at the CP without observing the normal policies and procedures for privacy, security, and oversight.

 

对策包括(1)披露适用的日志和数据,(2)部分/全部披露基础设施详细信息(例如补丁级别和防火墙),以及(3)对必要信息进行监控和警报。

Countermeasures include (1) disclosure of applicable logs and data, (2) partial/full disclosure of infrastructure details (for example, patch levels and firewalls), and (3) monitoring and alerting on necessary information.

 

欧洲网络和信息安全局和 NIST 也制定了类似的列表。

Similar lists have been developed by the European Network and Information Security Agency and NIST.

 

云中的数据保护

Data Protection in the Cloud

 

危害数据的方法有很多。一个明显的例子是在没有备份原始内容的情况下删除或更改记录。从更大的上下文中取消记录的链接可能会使其无法恢复,就像存储在不可靠的介质上一样。丢失编码密钥可能会导致有效破坏。最后,必须防止未经授权的各方访问敏感数据。

There are many ways to compromise data. Deletion or alteration of records without a backup of the original content is an obvious example. Unlinking a record from a larger context may render it unrecoverable, as can storage on unreliable media. Loss of an encoding key may result in effective destruction. Finally, unauthorized parties must be prevented from gaining access to sensitive data.

 

由于风险和挑战的数量以及它们之间的相互作用,这些风险和挑战要么是云独有的,要么由于云环境的架构或操作特征而更加危险,因此云中数据泄露的威胁有所增加。

The threat of data compromise increases in the cloud, due to the number of, and interactions between, risks and challenges that are either unique to the cloud or more dangerous because of the architectural or operational characteristics of the cloud environment.

 

云计算中使用的数据库环境可能存在很大差异。一些提供商支持多实例模型,为每个云订阅者提供在 VM 实例上运行的唯一 DBMS。这使订户能够完全控制角色定义、用户授权以及与安全相关的其他管理任务。其他提供商支持多租户模型,该模型为云订阅者提供与其他租户共享的预定义环境,通常通过使用订阅者标识符标记数据来实现。标签看似独占实例,但依赖于云提供商建立和维护良好的安全数据库环境。

Database environments used in cloud computing can vary significantly. Some providers support a multi-instance model, which provide a unique DBMS running on a VM instance for each cloud subscriber. This gives the subscriber complete control over role definition, user authorization, and other administrative tasks related to security. Other providers support a multitenant model, which provides a predefined environment for the cloud subscriber that is shared with other tenants, typically through tagging data with a subscriber identifier. Tagging gives the appearance of exclusive use of the instance, but relies on the cloud provider to establish and maintain a sound secure database environment.

 

数据在静止、传输和使用时必须受到保护,并且必须控制对数据的访问。客户端可以采用加密来保护传输中的数据,但这涉及 CP 的关键管理职责。客户端可以强制执行访问控制技术,但同样,根据所使用的服务模型,CP 在一定程度上也会参与其中。

Data must be secured while at rest, in transit, and in use, and access to the data must be controlled. The client can employ encryption to protect data in transit, though this involves key management responsibilities for the CP. The client can enforce access control techniques but, again, the CP is involved to some extent depending on the service model used.

 

对于静态数据,理想的安全措施是客户端对数据库进行加密,并仅将加密数据存储在云端,CP 无权访问加密密钥。只要密钥保持安全,CP 就无法解密数据,尽管损坏和其他拒绝服务攻击仍然存在风险。

For data at rest, the ideal security measure is for the client to encrypt the database and only store encrypted data in the cloud, with the CP having no access to the encryption key. So long as the key remains secure, the CP has no ability to decipher the data, although corruption and other denial-of-service attacks remain a risk.

 

有多种方法可以实现加密方案。一个非常简单的安排如下。假设数据库中的每个单独项目均使用相同的加密密钥单独加密。加密的数据库存储在服务器上,但服务器没有密钥,因此数据在服务器上是安全的。即使有人能够侵入服务器系统,他或她所能访问的也只是加密数据。客户端系统确实有加密密钥的副本。客户端的用户可以按照以下顺序从数据库中检索记录:

There are a number of ways in which an encryption scheme could be implemented. A very simple arrangement is as follows. Suppose that each individual item in the database is encrypted separately, all using the same encryption key. The encrypted database is stored at the server, but the server does not have the key, so that the data are secure at the server. Even if someone were able to hack into the server’s system, all he or she would have access to is encrypted data. The client system does have a copy of the encryption key. A user at the client can retrieve a record from the database with the following sequence:

 

1.用户对具有特定主键值的一条或多条记录中的字段发出 SQL 查询。

1. The user issues an SQL query for fields from one or more records with a specific value of the primary key.

 

2.客户端的查询处理器对主键进行加密,相应地修改SQL查询,并将查询传输到服务器。

2. The query processor at the client encrypts the primary key, modifies the SQL query accordingly, and transmits the query to the server.

 

3.服务器使用主键的加密值处理查询并返回相应的一条或多条记录。

3. The server processes the query using the encrypted value of the primary key and returns the appropriate record or records.

 

4.查询处理器解密数据并返回结果。

4. The query processor decrypts the data and returns the results.

 

已经实施了更高效、更灵活的系统。详细信息请参阅作者的书《计算机安全:原理与实践》 [ STAL15a ]。

More efficient and flexible systems have been implemented. See the author’s book, Computer Security: Principles and Practice for details [STAL15a].

 

云安全即服务

Cloud Security as a Service

 

术语“安全即服务”通常是指由服务提供商提供的一揽子安全服务,它将企业的大部分安全责任转移给安全服务提供商。通常提供的服务包括身份验证、防病毒、反恶意软件/间谍软件、入侵检测和安全事件管理。在云计算背景下,云安全即服务(称为 SecaaS)是 CP SaaS 产品的一部分。

The term Security as a Service has generally meant a package of security services offered by a service provider that offloads much of the security responsibility from an enterprise to the security service provider. Among the services typically provided are authentication, anti-virus, antimalware/spyware, intrusion detection, and security event management. In the context of cloud computing, Cloud Security as a Service, designated SecaaS, is a segment of the SaaS offering of a CP.

 

云安全联盟将 SecaaS 定义为通过云向基于云的基础设施和软件或从云向客户的本地系统提供安全应用程序和服务 [CSA11 ]。云安全联盟已确定以下 SecaaS 服务类别:

The Cloud Security Alliance defines SecaaS as the provision of security applications and services via the cloud either to cloud-based infrastructure and software or from the cloud to the customers’ on-premise systems [CSA11]. The Cloud Security Alliance has identified the following SecaaS categories of service:

 

图像身份和访问管理

Identity and access management

 

图像防止数据丢失

Data loss prevention

 

图像网络安全

Web security

 

图像电子邮件安全

E-mail security

 

图像安全评估

Security assessments

 

图像入侵管理

Intrusion management

 

图像安全信息和事件管理

Security information and event management

 

图像加密

Encryption

 

图像业务连续性和灾难恢复

Business continuity and disaster recovery

 

图像网络安全

Network security

 

本节涵盖这些类别,重点关注基于云的基础设施和服务的安全性(见图16.7)。

This section covers these categories with a focus on security of the cloud-based infrastructure and services (see Figure 16.7).

 
图像

图 16.7云安全即服务的要素

FIGURE 16.7 Elements of Cloud Security as a Service

 

图像 身份和访问管理 (IAM)包括用于管理对企业资源的访问的人员、流程和系统,方法是确保实体的身份得到验证,然后根据此确保的身份授予正确的访问级别。身份管理的一方面是身份配置,它涉及向已识别的用户提供访问权限,并随后在客户端企业指定此类用户不再有权访问云中的企业资源时取消配置或拒绝对用户的访问。身份管理的另一个方面是云参与客户企业使用的联合身份管理方案。除其他要求外,云服务提供商 (CSP) 必须能够与企业选择的身份提供商交换身份属性。

Identity and access management (IAM) includes people, processes, and systems that are used to manage access to enterprise resources by assuring that the identity of an entity is verified, and then granting the correct level of access based on this ensured identity. One aspect of identity management is identity provisioning, which has to do with providing access to identified users and subsequently deprovisioning, or denying access, to users when the client enterprise designates such users as no longer having access to enterprise resources in the cloud. Another aspect of identity management is for the cloud to participate in the federated identity management scheme used by the client enterprise. Among other requirements, the cloud service provider (CSP) must be able to exchange identity attributes with the enterprise’s chosen identity provider.

 

IAM 的访问管理部分涉及身份验证和访问控制服务。例如,CSP 必须能够以可信的方式对用户进行身份验证。SPI 环境中的访问控制要求包括建立可信的用户配置文件和策略信息,使用它来控制云服务内的访问,并以可审核的方式执行此操作。

The access management portion of IAM involves authentication and access control services. For example, the CSP must be able to authenticate users in a trustworthy manner. The access control requirements in SPI environments include establishing trusted user profile and policy information, using it to control access within the cloud service, and doing this in an auditable way.

 

图像 数据丢失防护 (DLP)是指监视、保护和验证静态、动态和使用中的数据的安全性。大部分 DLP 可以由云客户端实现,如上一小节“云中的数据保护”中讨论的那样。CSP 还可以提供 DLP 服务,例如实施有关可以在各种上下文中对数据执行哪些功能的规则。

Data loss prevention (DLP) is the monitoring, protecting, and verifying the security of data at rest, in motion, and in use. Much of DLP can be implemented by the cloud client, such as discussed in the preceding subsection, “Data Protection in the Cloud.” The CSP can also provide DLP services, such as implementing rules about what functions can be performed on data in various contexts.

 

图像 Web 安全是通过软件/设备安装在本地提供的实时保护,或者通过云通过代理或将 Web 流量重定向到 CP 来提供的实时保护。这在防病毒等方面提供了额外的保护层,以防止恶意软件通过网页浏览等活动进入企业。除了防范恶意软件之外,基于云的 Web 安全服务可能还包括使用策略实施、数据备份、流量控制和 Web 访问控制。

Web security is real-time protection offered either on premise through software/appliance installation or via the cloud by proxying or redirecting web traffic to the CP. This provides an added layer of protection on top of things such as antivirus to prevent malware from entering the enterprise via activities such as web browsing. In addition to protecting against malware, a cloud-based web security service might include usage policy enforcement, data backup, traffic control, and web access control.

 

图像CSP 可能提供基于 Web 的电子邮件服务,为此需要采取安全措施。电子邮件安全提供对入站和出站电子邮件的控制,保护组织免受网络钓鱼、恶意附件的侵害,执行可接受的使用和垃圾邮件预防等公司策略。CSP 还可以在所有电子邮件客户端上合并数字签名,并提供可选的电子邮件加密。

A CSP may provide a web-based e-mail service, for which security measures are needed. E-mail security provides control over inbound and outbound email, protecting the organization from phishing, malicious attachments, enforcing corporate polices such as acceptable use and spam prevention. The CSP may also incorporate digital signatures on all e-mail clients and provide optional e-mail encryption.

 

图像 安全评估是云服务的第三方审核。虽然这项服务不在 CSP 的管辖范围内,但 CSP 可以提供工具和访问点来促进各种评估活动。

Security assessments are third-part audits of cloud services. While this service is outside the province of the CSP, the CSP can provide tools and access points to facilitate various assessment activities.

 

图像 入侵管理包括入侵检测、预防和响应。该服务的核心是在云入口点和云中服务器上实施入侵检测系统(IDS)和入侵防御系统(IPS)。IDS 是一组自动化工具,旨在检测对主机系统的未经授权的访问。IPS 结合了 IDS 功能,但还包括旨在阻止入侵者流量的机制。

Intrusion management encompasses intrusion detection, prevention, and response. The core of this service is the implementation of intrusion detection systems (IDS) and intrusion prevention systems (IPS) at entry points to the cloud and on servers in the cloud. An IDS is a set of automated tools designed to detect unauthorized access to a host system. An IPS incorporates IDS functionality but also includes mechanisms designed to block traffic from intruders.

 

图像 安全信息和事件管理 (SIEM)聚合(通过推或拉机制)来自虚拟和真实网络、应用程序和系统的日志和事件数据。然后对这些信息进行关联和分析,以提供可能需要干预或其他类型响应的信息/事件的实时报告和警报。CSP 通常提供集成服务,可以将来自云内和客户端企业网络内的各种来源的信息组合在一起。

Security information and event management (SIEM) aggregates (via push or pull mechanisms) log and event data from virtual and real networks, applications, and systems. This information is then correlated and analyzed to provide real-time reporting and alerting on information/events that may require intervention or other type of response. The CSP typically provides an integrated service that can put together information from a variety of sources both within the cloud and within the client enterprise network.

 

图像 加密是一种普遍的服务,可以为云中的静态数据、电子邮件流量、特定于客户端的网络管理信息和身份信息提供。CSP提供的加密服务涉及一系列复杂的问题,包括密钥管理、如何在云中实现虚拟专用网络(VPN)服务、应用程序加密和数据内容访问等。

Encryption is a pervasive service that can be provided for data at rest in the cloud, e-mail traffic, client-specific network management information, and identity information. Encryption services provided by the CSP involve a range of complex issues, including key management, how to implement virtual private network (VPN) services in the cloud, application encryption, and data content access.

 

图像 业务连续性和灾难恢复包括确保在发生任何服务中断时的运营弹性的措施和机制。在这个领域,CSP 由于规模经济而可以为云服务客户带来明显的好处。CSP 可以在多个位置提供备份,并具有可靠的故障转移和灾难恢复设施。该服务必须包括灵活的基础设施、功能和硬件冗余、受监控的操作、地理上分布的数据中心以及网络生存能力。

Business continuity and disaster recovery comprise measures and mechanisms to ensure operational resiliency in the event of any service interruptions. This is an area where the CSP, because of economies of scale, can offer obvious benefits to a cloud service client. The CSP can provide backup at multiple locations, with reliable failover and disaster recovery facilities. This service must include a flexible infrastructure, redundancy of functions and hardware, monitored operations, geographically distributed data centers, and network survivability.

 

图像 网络安全由分配访问、分发、监控和保护底层资源服务的安全服务组成。服务包括外围和服务器防火墙以及拒绝服务保护。本节列出的许多其他服务,包括入侵管理、身份和访问管理、数据丢失保护和 Web 安全,也有助于网络安全服务。

Network security consists of security services that allocate access, distribute, monitor, and protect the underlying resource services. Services include perimeter and server firewalls and denial-of-service protection. Many of the other services listed in this section, including intrusion management, identity and access management, data loss protection, and web security, also contribute to the network security service.

 

解决云计算机安全问题

Addressing Cloud Computer Security Concerns

 

已经开发了许多文档来指导企业思考与云计算相关的安全问题。除了提供总体指导的 SP-800-144 之外,NIST 还发布了 SP-800-146,云计算概要和建议,2012 年 5 月。NIST 的建议系统地考虑了企业使用的每种主要云服务类型,包括软件即服务 (SaaS)、基础设施即服务 (IaaS) 和平台即服务 (PaaS)。安全问题根据云服务类型的不同而有所不同,但多项 NIST 建议与服务类型无关。毫不奇怪,NIST 建议选择支持强加密、具有适当冗余机制、使用身份验证机制并为订阅者提供有关用于保护订阅者免受其他订阅者和提供商侵害的机制的足够可见性的云提供商。SP-800-146 还列出了与云计算环境相关且必须分配给不同云参与者的总体安全控制,如表 16.4中所列。

Numerous documents have been developed to guide business thinking about the security issues associated with cloud computing. In addition to SP-800-144, which provides overall guidance, NIST has issued SP-800-146, Cloud Computing Synopsis and Recommendations, May 2012. NIST’s recommendations systematically consider each of the major types of cloud services consumed by businesses including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). Security issues vary somewhat depending on the type of cloud service, but multiple NIST recommendations are independent of service type. Not surprisingly, NIST recommends selecting cloud providers that support strong encryption, have appropriate redundancy mechanisms in place, use authentication mechanisms, and offer subscribers sufficient visibility about mechanisms used to protect subscribers from other subscribers and the provider. SP-800-146 also lists the overall security controls that are relevant in a cloud computing environment and that must be assigned to the different cloud actors as listed in Table 16.4.

 
图像

表 16.4控制函数和类

TABLE 16.4 Control Functions and Classes

 

随着越来越多的企业将云服务纳入其企业网络基础设施,云计算安全将持续成为一个重要问题。云计算安全失败的例子有可能对云服务的商业兴趣产生寒蝉效应,这激励服务提供商认真考虑纳入安全机制,以减轻潜在用户的担忧。一些服务提供商已将其运营转移到第 4 层数据中心,以解决用户对可用性和冗余的担忧。由于许多企业仍然不愿意大规模采用云计算,

As more businesses incorporate cloud services into their enterprise network infrastructures, cloud computing security will persist as an important issue. Examples of cloud computing security failures have the potential to have a chilling effect on business interest in cloud services, and this is inspiring service providers to be serious about incorporating security mechanisms that will allay concerns of potential subscribers. Some service providers have moved their operations to Tier 4 data centers to address user concerns about availability and redundancy. Because so many businesses remain reluctant to embrace cloud computing in a big way, cloud service providers will have to continue to work hard to convince potential customers that computing support for core business processes and mission critical applications can be moved safely and securely to the cloud.

 

16.5 物联网安全

16.5 IoT Security

 

物联网可能是网络安全中最复杂和最不发达的领域。要了解这一点,请考虑图 16.8,它显示了物联网安全感兴趣的主要元素。网络的中心是应用平台、数据存储服务器以及网络和安全管理系统。这些中央系统从传感器收集数据,向执行器发送控制信号,并负责管理物联网设备及其通信网络。网络边缘是支持物联网的设备,其中一些是非常简单的受约束设备,其中一些是更智能的不受约束设备。此外,网关还可以代表物联网设备执行协议转换和其他网络服务。

IoT is perhaps the most complex and undeveloped area of network security. To see this, consider Figure 16.8, which shows the main elements of interest for IoT security. At the center of the network are the application platforms, data storage servers, and network and security management systems. These central systems gather data from sensors, send control signals to actuators, and are responsible for managing the IoT devices and their communication networks. At the edge of the network are IoT-enabled devices, some of which are quite simple constrained devices and some of which are more intelligent unconstrained devices. As well, gateways may perform protocol conversion and other networking service on behalf of IoT devices.

 
图像

图 16.8物联网安全:感兴趣的要素

FIGURE 16.8 IoT Security: Elements of Interest

 

图 16.8说明了互连和包含安全功能的许多典型场景。

Figure 16.8 illustrates a number of typical scenarios for interconnection and the inclusion of security features.

 

图 16.8中的阴影表示至少支持其中一些功能的系统。通常,网关将实现安全功能,例如 TLS 和 IPsec。不受约束的设备可能会也可能不会实现某些安全功能。受限设备通常具有有限的安全功能或没有安全功能。如图所示,网关设备可以提供网关之间的安全通信以及中心的设备,如应用平台、管理平台等。然而,连接到网关的任何受约束或不受约束的设备都位于网关和中央系统之间建立的安全区域之外。如图所示,不受约束的设备可以直接与中心通信并支持安全功能。然而,未连接到网关的受限设备无法与中央设备进行安全通信。

The shading in Figure 16.8 indicates the systems that support at least some of these functions. Typically, gateways will implement secure functions, such as TLS and IPsec. Unconstrained devices may or may not implement some security capability. Constrained devices generally have limited or no security features. As suggested in the figure, gateway devices can provide secure communication between the gateway and the devices at the center, such as application platforms and management platforms. However, any constrained or unconstrained devices attached to the gateway are outside the zone of security established between the gateway and the central systems. As shown, unconstrained devices can communicate directly with the center and support security functions. However, constrained devices that are not connected to gateways have no secure communications with central devices.

 

修补漏洞

The Patching Vulnerability

 

在 2014 年一篇经常被引用的文章中,安全专家 Bruce Schneier 表示,我们正处于嵌入式系统(包括物联网设备)安全性的危机时刻 [SCHN14]。嵌入式设备充满了漏洞,并且没有很好的方法来修补它们。芯片制造商有强烈的动机尽可能快速、廉价地生产带有固件和软件的产品。设备制造商根据价格和功能来选择芯片,并且对芯片软件和固件做的很少(如果有的话)。他们的重点是设备本身的功能。最终用户可能无法修补系统,或者即使有,也几乎没有关于何时以及如何修补的信息。结果是物联网中数亿个联网设备很容易受到攻击。这肯定是传感器的问题,允许攻击者将虚假数据插入网络。对于执行器来说,这可能是一个更严重的威胁,攻击者可以影响机器和其他设备的运行。

In an often-quoted 2014 article, security expert Bruce Schneier stated that we are at a crisis point with regard to the security of embedded systems, including IoT devices [SCHN14]. The embedded devices are riddled with vulnerabilities, and there is no good way to patch them. The chip manufacturers have strong incentives to produce their product with its firmware and software as quickly and cheaply as possible. The device manufacturers choose a chip based on price and features and do very little if anything to the chip software and firmware. Their focus is the functionality of the device itself. The end user may have no means of patching the system or, if so, little information about when and how to patch. The result is that the hundreds of millions of Internet-connected devices in the IoT are vulnerable to attack. This is certainly a problem with sensors, allowing attackers to insert false data into the network. It is potentially a graver threat with actuators, where the attacker can affect the operation of machinery and other devices.

 

ITU-T 定义的物联网安全和隐私要求

IoT Security and Privacy Requirements Defined by ITU-T

 

ITU-T 建议 Y.2066,物联网的常见要求,2014 年 6 月,包含物联网安全要求列表。此列表是了解物联网部署所需的安全实施范围的有用基准。需求被定义为捕获、存储、传输、聚合和处理事物数据以及提供涉及事物的服务的功能需求。这些要求与所有物联网参与者相关。要求如下:

ITU-T Recommendation Y.2066, Common Requirements of the Internet of Things, June 2014, includes a list of security requirements for the IoT. This list is a useful baseline for understanding the scope of security implementation needed for an IoT deployment. The requirements are defined as being the functional requirements during capturing, storing, transferring, aggregating and processing the data of things, as well as to the provision of services which involve things. These requirements are related to all the IoT actors. The requirements are as follows:

 

图像 通信安全:需要安全、可信、隐私保护的通信能力,以便在数据传输或传输过程中禁止对数据内容的未经授权的访问,保证数据的完整性,保护数据的隐私相关内容在物联网领域。

Communication security: Secure, trusted, and privacy-protected communication capability is required, so that unauthorized access to the content of data can be prohibited, integrity of data can be guaranteed and privacy-related content of data can be protected during data transmission or transfer in IoT.

 

图像 数据管理安全:需要安全、可信、隐私保护的数据管理能力,禁止对数据内容的未经授权的访问,保证数据的完整性,在存储或存储时保护涉及隐私的数据内容。处理物联网中的数据。

Data management security: Secure, trusted, and privacy-protected data management capability is required, so that unauthorized access to the content of data can be prohibited, integrity of data can be guaranteed and privacy-related content of data can be protected when storing or processing data in IoT.

 

图像 服务提供安全:需要安全、可信、隐私保护的服务提供能力,禁止未经授权的服务访问和欺诈性服务提供,保护物联网用户的隐私信息。

Service provision security: Secure, trusted, and privacy-protected service provision capability is required, so that unauthorized access to service and fraudulent service provision can be prohibited and privacy information related to IoT users can be protected.

 

图像 安全策略和技术的集成:需要能够集成不同的安全策略和技术,以确保对物联网中的各种设备和用户网络进行一致的安全控制。

Integration of security policies and techniques: The ability to integrate different security policies and techniques is required, so as to ensure a consistent security control over the variety of devices and user networks in IoT.

 

图像 相互认证和授权:设备(或物联网用户)接入物联网之前,需要根据预定义的安全策略,在设备(或物联网用户)与物联网之间进行相互认证和授权。

Mutual authentication and authorization: Before a device (or an IoT user) can access the IoT, mutual authentication and authorization between the device (or the IoT user) and IoT is required to be performed according to predefined security policies.

 

图像 安全审计:物联网需要支持安全审计。根据适当的法规和法律,任何数据访问或尝试访问物联网应用程序都必须完全透明、可追踪和可复制。特别是,物联网需要支持数据传输、存储、处理和应用访问的安全审计。

Security audit: Security audit is required to be supported in IoT. Any data access or attempt to access IoT applications are required to be fully transparent, traceable and reproducible according to appropriate regulation and laws. In particular, IoT is required to support security audit for data transmission, storage, processing, and application access.

 

在物联网部署中提供安全性的关键要素是网关。Y.2067,物联网应用网关的常见要求和功能,2014 年 6 月,详细介绍了网关应实现的特定安全功能,其中一些如图 16.9所示。这些包括以下内容:

A key element in providing security in an IoT deployment is the gateway. Y.2067, Common Requirements and Capabilities of a Gateway for Internet of Things Applications, June 2014, details specific security functions that the gateway should implement, some of which are illustrated in Figure 16.9. These consist of the following:

 
图像

图 16.9 IoT 网关安全功能

FIGURE 16.9 IoT Gateway Security Functions

 

图像支持对所连接设备的每次访问进行识别。

Support identification of each access to the connected devices.

 

图像支持设备认证。根据应用需求和设备能力,需要支持与设备的双向或单向认证。使用单向身份验证时,要么设备向网关验证自身身份,要么网关向设备验证自身身份,但不能同时进行两者验证。

Support authentication with devices. Based on application requirements and device capabilities, it is required to support mutual or one-way authentication with devices. With one-way authentication, either the device authenticates itself to the gateway or the gateway authenticates itself to the device, but not both.

 

图像支持与应用程序的相互认证。

Support mutual authentication with applications.

 

图像支持设备和网关中存储的数据、网关与设备之间传输的数据、网关与应用程序之间传输的数据的安全性。根据安全级别支持这些数据的安全。

Support the security of the data that are stored in devices and the gateway, or transferred between the gateway and devices, or transferred between the gateway and applications. Support the security of these data based on security levels.

 

图像支持保护设备和网关隐私的机制。

Support mechanisms to protect privacy for devices and the gateway.

 

图像支持自诊断、自修复以及远程维护。

Support self-diagnosis and self-repair as well as remote maintenance.

 

图像支持固件和软件更新。

Support firmware and software update.

 

图像支持自动配置或应用程序配置。要求网关支持多种配置方式,例如远程和本地配置、自动和手动配置、基于策略的动态配置等。

Support auto configuration or configuration by applications. The gateway is required to support multiple configuration modes, for example, remote and local configuration, automatic and manual configuration, and dynamic configuration based on policies.

 

当其中一些要求涉及为受限设备提供安全服务时,它们可能难以实现。例如,网关应支持设备中存储的数据的安全性。如果受限设备没有加密功能,这可能无法实现。

Some of these requirements may be difficult to achieve when they involve providing security services for constrained devices. For example, the gateway should support security of data stored in devices. Without encryption capability at the constrained device, this may be impractical to achieve.

 

请注意,Y.2067 要求多次引用隐私要求。随着物联网设备在家庭、零售店、车辆和人类中的广泛部署,隐私成为人们日益关注的一个领域。随着越来越多的事物互联,政府和私营企业将收集大量有关个人的数据,包括医疗信息、位置和移动信息以及应用程序使用情况。

Note that the Y.2067 requirements make a number of references to privacy requirements. Privacy is an area of growing concern with the widespread deployment of IoT-enabled things in homes, retail outlets, and vehicles and humans. As more things are interconnected, governments and private enterprises will collect massive amounts of data about individuals, including medical information, location and movement information, and application usage.

 

物联网安全框架

An IoT Security Framework

 

思科在物联网世界论坛参考模型的开发中发挥了主导作用(见图15.4),它开发了一个物联网安全框架 [FRAH15],作为世界论坛物联网参考模型的有用补充。

Cisco, which has played a lead role in the development of the IoT World Forum Reference Model (see Figure 15.4), has developed a framework for IoT security [FRAH15] that serves as a useful complement to the World Forum IoT Reference Model.

 

图16.10说明了与物联网逻辑结构相关的安全环境。物联网模型是世界论坛物联网参考模型的简化版本。它由以下级别组成:

Figure 16.10 illustrates the security environment related to the logical structure of an IoT. The IoT model is a simplified version of the World Forum IoT Reference Model. It consists of the following levels:

 
图像

图 16.10物联网安全环境

FIGURE 16.10 IoT Security Environment

 

图像 智能对象/嵌入式系统:由传感器、执行器和网络边缘的其他嵌入式系统组成。这是物联网中最脆弱的部分。这些设备可能不在物理安全的环境中,并且可能需要运行多年。可用性当然是一个问题。此外,网络管理员需要关注传感器生成的数据的真实性和完整性,并保护执行器和其他智能设备免遭未经授权的使用。隐私和防窃听也可能是要求。

Smart objects/embedded systems: Consists of sensors, actuators, and other embedded systems at the edge of the network. This is the most vulnerable part of an IoT. The devices may not be in a physically secure environment and may need to function for years. Availability is certainly an issue. Also, network managers need to be concerned about the authenticity and integrity of the data generated by sensors and about protecting actuators and other smart devices from unauthorized use. Privacy and protection from eavesdropping may also be requirements.

 

图像 雾/边缘网络:该级别涉及物联网设备的有线和无线互连。另外,一定量的数据处理和整合可以在这个级别完成。值得关注的一个关键问题是各种物联网设备使用的网络技术和协议多种多样,以及制定和实施统一安全策略的需要。

Fog/edge network: This level is concerned with the wired and wireless interconnection of IoT devices. In addition, a certain amount of data processing and consolidation may be done at this level. A key issue of concern is the wide variety of network technologies and protocols used by the various IoT devices and the need to develop and enforce a uniform security policy.

 

图像 核心网络:核心网络层提供网络中心平台和物联网设备之间的数据路径。这里的安全问题是传统核心网络中面临的问题。然而,需要交互和管理的大量端点造成了巨大的安全负担。

Core network: The core network level provides data paths between network center platforms and the IoT devices. The security issues here are those confronted in traditional core networks. However, the vast number of endpoints to interact with and manage creates a substantial security burden.

 

图像 数据中心/云:该级别包含应用程序、数据存储和网络管理平台。除了处理大量单独端点的必要性之外,物联网在此级别不会引入任何新的安全问题。

Data center/cloud: This level contains the application, data storage, and network management platforms. IoT does not introduce any new security issues at this level, other than the necessity of dealing with huge numbers of individual endpoints.

 

在这个四级架构中,思科模型定义了四种跨越多个级别的通用安全功能:

Within this four-level architecture, the Cisco model defines four general security capabilities that span multiple levels:

 

图像 基于角色的安全性: RBAC系统将访问权限分配给角色而不是单个用户。反过来,根据用户的职责,用户被静态或动态地分配给不同的角色。RBAC 在云和企业安全领域享有广泛的商业用途,是一种易于理解的工具,可用于管理对 IoT 设备及其生成的数据的访问。

Role-based security: RBAC systems assign access rights to roles instead of individual users. In turn, users are assigned to different roles, either statically or dynamically, according to their responsibilities. RBAC enjoys widespread commercial use in cloud and enterprise security and is a well-understood tool that can be used to manage access to IoT devices and the data they generate.

 

图像 防篡改和检测:该功能在设备和雾网络层面尤为重要,但也延伸到核心网络层面。所有这些级别可能涉及物理上位于受物理安全措施保护的企业区域之外的组件。

Antitamper and detection: This function is particularly important at the device and fog network levels but also extends to the core network level. All of these levels may involve components that are physically outside the area of the enterprise that is protected by physical security measures.

 

图像 数据保护和机密性:这些功能扩展到架构的所有级别。

Data protection and confidentiality: These functions extend to all level of the architecture.

 

图像 互联网协议保护:保护动态数据免遭窃听和窥探在各个级别之间至关重要。

Internet protocol protection: Protection of data in motion from eavesdropping and snooping is essential between all levels.

 

图 16.10映射了物联网模型四层中的特定安全功能区域。2015 年思科物联网安全白皮书 [FRAH15] 还提出了一个安全物联网框架,该框架定义了涵盖所有级别的物联网安全设施的组件,如图 16.11 所示,并在下面的列表中进行了描述

Figure 16.10 maps specific security functional areas across the four layers of the IoT model. A 2015 Cisco White Paper on IoT security [FRAH15] also proposes a secure IoT framework that defines the components of a security facility for an IoT that encompasses all the levels, as shown in Figure 16.11, and described in the list that follows.

 
图像

图 16.11安全物联网框架

FIGURE 16.11 Secure IoT Framework

 

图像 身份验证:包含通过首先识别物联网设备来启动访问确定的元素。与可以通过人类凭证(例如用户名和密码或令牌)识别的典型企业网络设备相比,物联网端点必须通过不需要人类交互的方式进行指纹识别。此类标识符包括 RFID、x.509 证书或端点的 MAC 地址。

Authentication: Encompasses the elements that initiate the determination of access by first identifying the IoT devices. In contrast to typical enterprise network devices, which may be identified by a human credential (for example, username and password or token), the IoT endpoints must be fingerprinted by means that do not require human interaction. Such identifiers include RFID, x.509 certificates, or the MAC address of the endpoint.

 

图像 授权:控制设备对整个网络结构的访问。该元素包含访问控制。它与身份验证层一起建立必要的参数,以实现设备之间以及设备与应用程序平台之间的信息交换,并支持执行物联网相关服务。

Authorization: Controls a device’s access throughout the network fabric. This element encompasses access control. Together with the authentication layer, it establishes the necessary parameters to enable the exchange of information between devices and between devices and application platforms and enables IoT-related services to be performed.

 

图像 网络强制策略:包含通过基础设施安全路由和传输端点流量的所有元素,无论是控制、管理还是实际数据流量。

Network enforced policy: Encompasses all elements that route and transport endpoint traffic securely over the infrastructure, whether control, management or actual data traffic.

 

图像 安全分析,包括可见性和控制:该组件包括集中管理物联网设备所需的所有功能。首先,这涉及物联网设备的可见性,这意味着中央管理服务可以安全地了解分布式物联网设备集合,包括每个设备的身份和属性。建立在这种可见性的基础上的是施加控制的能力,包括配置、补丁更新和威胁对策。

Secure analytics, including visibility and control: This component includes all the functions required for central management of IoT devices. This involves, first, visibility of IoT devices, which simply means that central management services are securely aware of the distributed IoT device collection, including identity and attributes of each device. Building on this visibility is the ability to exert control, including configuration, patch updates, and threat countermeasures.

 

与该框架相关的一个重要概念是信任关系。在这种情况下,信任关系是指交易双方对对方的身份和访问权限有信心的能力。信任框架的身份验证组件提供基本级别的信任,并通过授权组件扩展该信任级别。思科物联网安全白皮书 [FRAH15] 给出了汽车可以与同一供应商的另一辆汽车建立信任关系的示例。然而,这种信任关系可能只允许汽车交换其安全能力。当同一辆车与其经销商网络之间建立信任关系时,可以允许该车共享附加信息,例如里程表读数和上次维护记录。

An important concept related to this framework is that of trust relationship. In this context, trust relationship refers to the ability of the two partners to an exchange to have confidence in the identity and access rights of the other. The authentication component of the trust framework provides a basic level of trust, which is expanded with the authorization component. The Cisco IoT security white paper [FRAH15] gives the example that a car may establish a trust relationship with another car from the same vendor. That trust relationship, however, may only allow cars to exchange their safety capabilities. When a trusted relationship is established between the same car and its dealer’s network, the car may be allowed to share additional information such as its odometer reading and last maintenance record.

 

结论

Conclusion

 

计算机和网络安全协议、技术和政策在过去几十年中已经发展并成熟,适合企业、政府和其他用户的需求。尽管攻击者和防御者之间的军备竞赛正在进行,但为传统网络和SDN/NFV网络构建强大的安全设施是可能的。拥有数百万至数十亿设备的物联网网络突然爆炸,带来了前所未有的安全挑战。如图 16.1016.11所示的模型和框架可以作为物联网安全设施设计和实施的基础。

Computer and network security protocols, technologies, and policies have developed and matured over the past decades, tailored to the needs of enterprises, governments, and other users. Although there is an ongoing arms race between attackers and defenders, it is possible to build a powerful security facility for traditional networks and for SDN/NFV networks. The sudden explosion of IoT networks with millions to billions of devices poses an unprecedented security challenge. A model and framework such as that of Figures 16.10 and 16.11 can serve as a foundation for the design and implementation of an IoT security facility.

 

16.6 关键术语

16.6 Key Terms

 

完成本章后,您应该能够定义以下术语。

After completing this chapter, you should be able to define the following terms.

 

问责制

accountability

 

攻击面

attack surface

 

真实性

authenticity

 

可用性

availability

 

保密

confidentiality

 

数据保密性

data confidentiality

 

数据的完整性

data integrity

 

管理程序自省

hypervisor introspection

 

正直

integrity

 

隐私

privacy

 

基于角色的访问控制 (RBAC)

role-based access control (RBAC)

 

安全即服务 (SecaaS)

Security as a Service (SecaaS)

 

系统完整性

system integrity

 

传输层安全 (TLS)

Transport Layer Security (TLS)

 

16.7 参考文献

16.7 References

 

CSA11云安全联盟。安全即服务 (SecaaS)。CSA 报告,2011 年。

CSA11: Cloud Security Alliance. Security as a Service (SecaaS). CSA Report, 2011.

 

CSA13云安全联盟。2013 年臭名昭著的九个云计算主要威胁。CSA 报告,2013 年 2 月。

CSA13: Cloud Security Alliance. The Notorious Nine Cloud Computing Top Threats in 2013. CSA Report, February 2013.

 

HAWI14 Hawilo,H.,等人。“NFV:下一代移动网络的最新技术、挑战和实施。” IEEE 网络,2014 年 11 月/12 月。

HAWI14: Hawilo, H., et al. “NFV: State of the Art, Challenges, and Implementation in Next Generation Mobile Networks.” IEEE Network, November/December 2014.

 

HOGG14 Hogg, S.“SDN 安全攻击向量和 SDN 强化”。网络世界,2014 年 10 月 28 日。

HOGG14: Hogg, S. “SDN Security Attack Vectors and SDN Hardening.” Network World, Oct 28, 2014.

 

NAKI15纳基纳系统。在服务提供商 NFV 环境中实现安全完整性。Nakina 系统白皮书,2015 年。

NAKI15: Nakina Systems. Achieving Security Integrity in Service Provider NFV Environments. Nakina Systems white paper, 2015.

 

STAL15 Stallings, W. 和 Brown, L.计算机安全:原理与实践。新泽西州恩格尔伍德悬崖:皮尔逊,2015。

STAL15: Stallings, W., and Brown, L. Computer Security: Principles and Practice. Englewood Cliffs, NJ: Pearson, 2015.

 

第 17 章新网络对 IT 职业的影响

Chapter 17. The Impact of the New Networking on IT Careers

 

你不明白!我本来可以上课。我本来可以成为一个竞争者。我本可以成为一个大人物,而不是一个流浪汉,这就是我。

You don’t understand! I coulda had class. I coulda been a contender. I could’ve been somebody, instead of a bum, which is what I am.

 

——马龙·白兰度,《海滨》,1954 年

—Marlon Brando, On the Waterfront, 1954

 

本章目标 学习完本章后,您应该能够

 

图像讨论网络专业人员职责的变化及其对工作职位的影响。

 

图像概述 DevOps。

 

图像了解 DevOps 在实施网络系统中的作用。

 

图像了解培训和认证计划的相关性。

 

Chapter Objectives: After studying this chapter, you should be able to

 

Discuss the changing responsibilities of network professionals and the impact on job positions.

 

Present an overview of DevOps.

 

Understand the role of DevOps for implementing networking systems.

 

Understand the relevance of training and certification programs.

 
 

网络格局正在以多种方式和多个方向迅速发生变化。为了进一步发展他们的职业生涯,网络专业人员不仅需要掌握新的技术技能,还需要扩大他们在网络技术、管理和部署的许多方面的参与范围。本章旨在提供一些指导和信息,有助于保护和增强您在新网络环境中的职业前景。

The network landscape is changing rapidly in a variety of ways and in a number of directions. To further their careers, network professionals need to not only master new technical skills but also broaden the scope of their involvement in the many facets of network technology, management, and deployment. This chapter aims to provide some guidance and information that will be useful in protecting and enhancing your career prospects in the new networking landscape.

 

本章首先对网络专业人员的角色变化进行了一些总体思考。接下来,本章重点关注在发展职业建设技能时可能被忽视的一个特定领域:DevOps。接下来是关于培训和认证的讨论。本章最后描述了在线资源,这些资源可以成为持续的信息和支持来源。

The chapter begins with some overall thoughts about the changing roles of network professionals. Next, the chapter focuses on one specific area that might be overlooked in developing your career-building skills: DevOps. This is followed by a discussion of training and certification. The chapter closes with a description of online resources that can be an ongoing source of information and support.

 

17.1 网络专业人员角色的变化

17.1 The Changing Role of Network Professionals

 

新兴的网络时代具有警报网络专业人员应该考虑的许多影响。我们在这里提到一些:

The emerging networking era has many ramifications that the alert network professional should consider. We mention some here:

 

图像网络基础设施不太可能来自单一供应商。该基础设施具有多层、定义的接口(水平和垂直)、对抽象的依赖以及本地和基于云/雾的元素的混合。

The network infrastructure is unlikely to be sourced from a single vendor. The infrastructure has multiple layers, defined interfaces (both horizontal and vertical), reliance on abstraction, and a mix of local and cloud/fog-based elements.

 

图像应用程序工作负载的种类和速度都在发生变化。管理、利用甚至定义网络基础设施的软件模块需要合并到网络软件环境中。

Application workloads are changing, both in the variety and pace. Software modules that manage, utilize, and even define the network infrastructure need to be incorporated into the network software environment.

 

图像网络专业人员可用的工具集正在迅速增加,包括语言、脚本工具和越来越多的打包产品,以帮助进行网络设计、部署、操作、管理和安全。IT 主管了解这些工具,并希望他们的网络团队能够使用它们。

The available toolset of the network professional is proliferating rapidly, including languages, scripting tools, and a growing variety of packaged products to help do network design, deployment, operations, management, and security. IT executives are aware of these tools and expect their networking team to use them.

 

图像网络功能越来越多地使用软件技术来定义、实现和管理,例如软件定义网络 (SDN) 和网络功能虚拟化 (NFV)。网络的这种“软”性质迫使 IT 管理以及网络开发和运营采用日益协作的方法。

Network functions are increasingly being defined, implemented, and managed using software techniques, such as software-defined networking (SDN) and network functions virtualization (NFV). This “soft” nature of networks compels an increasingly collaborative approach to IT management and to network development and operations.

 

网络专业人员不能指望凭借在大学中学到的技能或迄今为止获得的培训来继续前进。SDN 和 NFV 向更多参与者开放了网络生态系统,以便来自不同背景的人们可以访问复杂的网络世界。随着职位空缺的消失和开放,网络角色和职责将不断变化。网络专业人士需要抓住内部和第三方培训的机会,以保持竞争优势。

Network professionals cannot expect to move forward with skills learned in college or training so far obtained. SDN and NFV open up the network ecosystem to many more players so that the complex world of networking is accessible to people coming from a variety of backgrounds. Networking roles and responsibilities will be in flux, with job slots disappearing and opening up. Networking professionals need to seize opportunities for both in-house and third party training to maintain their competitive edge.

 

职责变化

Changing Responsibilities

 

Metzler 的一篇网络论文 [ METZ14b ] 列出了以下网络和 IT 基础设施专业人员新兴角色的关键特征:

A Webtorials paper by Metzler [METZ14b] lists the following as key characteristics of the emerging role of network and IT infrastructure professionals:

 

图像 更加重视编程:作为 SDN 和 NFV 网络结构一部分的应用程序编程接口 (API) 的激增至少需要高级 IT 专业人员对编程有一定程度的了解,以便更好地与企业软件开发单位进行交互。组织可能希望通过让网络专业人员编写利用这些 API 的程序来利用新推出的 API 功能。这将在17.2 节中进一步讨论。

More emphasis on programming: At minimum, the proliferation of application programming interfaces (APIs) as part of the SDN and NFV network structure requires senior level IT professionals to have some level of understanding of programming to better interact with enterprise software development units. And organizations may want to leverage the API functionality newly available by having networking professionals write programs that utilize those APIs. This is discussed further in Section 17.2.

 

图像 增加对其他 IT 学科的了解:随着团队之间的互操作,IT 将不再受特定专业领域(存储、网络、虚拟化和安全)的束缚,并且更加跨职能。对协作和 DevOps(将在下一节中讨论)的日益重视需要融合从 IT 安全到数据库设计和应用程序架构以及介于两者之间的所有技能。虽然团队中的每个人都有特定的优势,但每个人还需要具备其他领域的工作知识。

An increased knowledge of other IT disciplines: IT will become less separated by specific areas of expertise (storage, networking, virtualization, and security) and more cross-functional as teams interoperate with each other. The increased emphasis on collaboration and DevOps (discussed in the next section) requires an amalgamation of skills spanning everything from IT security to database design and application architecture, plus everything in between. While each individual on the team has a particular strength, each one also needs to have working knowledge in other areas.

 

图像 更加重视安全性:随着数据在本地、云端和用户设备上得到保护,安全专业知识变得更加重要。数据是任何公司的命脉,因此确定和执行既保证数据安全又不影响用户完成工作的能力的策略至关重要。

Heightened emphasis on security: Security expertise becomes more critical as data is secured on premises, in the cloud, and on user devices. Data is the lifeblood of any company, and so determining and enforcing policies that keep things secure without impacting users’ ability to get their work accomplished will be critical.

 

图像 更加关注制定策略: SDN 和 NFV 使 IT 组织能够以比以前更加动态和精细的方式实施策略驱动的基础设施。

More focus on setting policy: SDN and NFV enable IT organizations to implement a policy-driven infrastructure in a more dynamic and granular fashion than was previously possible.

 

图像 更多的业务知识: SDN、NFV 和 QoE 为管理层提供了对业务需求和客户要求做出敏捷响应的技术基础。新的应用软件被生成并在网络上运行,虚拟化网络元素被快速修改和重新定位,以适应企业和用户的需求。这给网络专业人员带来了理解如何管理和配置网络以支持这种动态环境的负担。另一个考虑因素是,IT 组织证明 IT 投资合理性的能力越来越依赖于该组织具体展示该投资的业务价值的能力。

More knowledge of the business: SDN, NFV, and QoE provide management with the technology base for providing an agile response to business needs and customer requirements. New application software is generated to run on the network and the virtualized network elements are modified and repositioned rapidly to adjust to enterprise and user needs. This places the burden on the network professional to understand how the network is to be managed and configured to support this dynamic environment. Another consideration is that the ability of the IT organization to justify an investment in IT is increasingly tied to the ability of the organization to concretely demonstrate the business value of that investment.

 

图像 对应用的更多理解:云计算和物联网开辟了需要网络支持的应用范围。这些应用程序的架构也在不断扩展,简单的客户端/服务器模型被垂直(多层)和水平(对等合作)分布的应用程序结构所取代或增强。复杂的应用程序,例如客户关系管理 (CRM),实际上由多个模块组成,具有一系列网络要求。IT 基础设施和网络专业人员尤其需要更好地了解这些新架构和复杂应用程序,以确保新兴技术集得到适当的设计和架构。

More understanding of applications: Cloud computing and IoT open up the range of applications that need to be supported on networks. The architecture of these applications is broadening as well, with simple client/server models supplanted or enhanced by applications structures that spread out vertically (mutitier) and horizontally (peer cooperation). Complex applications, such as customer relationship management (CRM), actually consist of several modules, with a range of network requirements. IT infrastructure and network professionals in particular need to better understand these new architectures and complex applications to ensure that the emerging set of technologies are designed and architected appropriately.

 

Pretz [ PRET14 ]的一篇论文提供了关于在新的网络环境中取得成功所需的另一个有趣的观点,其中列出了网络专业人员所需的以下五种技能:

Another interesting take on what is needed to succeed in the new networking environment is provided in a paper by Pretz [PRET14], which lists the following five skills needed by network professionals:

 

图像整合 IT 和网络领域专业知识的能力,这些年来,这两个领域彼此独立发展,但现在正在融合。

The ability to incorporate know-how from the IT and network domains, which have grown independently of each other over the years but are now converging.

 

图像了解工业数学,应用数学的一个分支。拥有这些知识的人将能够更好地理解技术问题,制定精确和准确的数学模型,并使用最新的计算机技术实施解决方案。对这一领域的理解将有助于通过应用机器学习和认知算法来开发系统,这有望降低 SDN 的复杂性和动态性。

An understanding of industrial mathematics, a branch of applied mathematics. Those with this knowledge will be better able to understand technical issues, formulate precise and accurate mathematical models, and implement solutions using the latest computer techniques. An understanding of this field will help in developing systems by applying machine learning and cognitive algorithms, which are expected to lessen the complexity and dynamic nature of SDNs.

 

图像掌握软件架构和开源软件,这是开发 SDN 工具和应用程序所必需的。了解软件验证和确认流程也将很有帮助,这可确保软件符合规范并实现其预期目的。一些工程师认为他们需要编程技能,但事实并非如此,因为第三方的 SDN 软件应用程序已经可用。

A mastery of software architecture and open source software, which is needed to develop SDN tools and applications. It will also be helpful to understand software verification and validation processes, which ensure that software meets specifications and fulfills its intended purpose. Some engineers assume they’ll need programming skills, but that’s not necessarily so, because software applications for SDNs from third parties are already available.

 

图像拥有大数据分析背景,了解如何处理 SDN 所需的大量数据。擅长大数据分析的人不仅能够管理更多数据,而且知道出现问题时应该提出正确的问题。此类分析还将帮助工程师做出明智的、数据驱动的决策。

A background in big data analytics to understand how to handle the huge amounts of data expected from SDNs. Someone skilled in big data analytics will not only be able to manage more data but also know the right questions to ask should problems arise. Such analytics will also help engineers make smart, data-driven decisions.

 

图像网络安全方面的专业知识,因为 SDN 中安全必须无处不在。它需要内置到架构中,并且必须作为服务提供,以保护互联资源和信息的可用性、完整性和隐私性。

Expertise in cybersecurity, because security must be everywhere within SDNs. It needs to be built into the architecture and also must be delivered as a service to protect the availability, integrity, and privacy of connected resources and information.

 

对职位的影响

Impact on Job Positions

 

在 Global Knowledge 白皮书中,Hales [ HALE14 ] 列出了以下 SDN 和 NFV 对个人工作职位可能产生的影响:

In a Global Knowledge white paper, Hales [HALE14] lists the following as likely impacts of SDN and NFV on individual job positions:

 

图像 网络管理员:具有设计和管理软件主导网络以及规划现有环境迁移策略技能的人员将受到大量需求。

Network administrator: Those with the skills to design and manage software-dominated networks and to plan migration strategy from the existing environment will be in high demand.

 

图像 虚拟化管理员:需要具有更高级技能的管理员来弄清楚如何实施云系统并使其在现有基础设施中工作。虚拟化管理员需要与存储、网络、安全和应用程序团队更密切地合作,使他们能够无缝地协同工作。

Virtualization administrator: Administrators with more advanced skills will be needed for figuring out how to implement cloud systems and make them work within an existing infrastructure. Virtualization administrators will need to work more closely with the storage, network, security, and application teams to make them seamlessly work together.

 

图像 应用程序管理员:应用程序管理员需要了解 SDN 和 NFV API 对应用程序的许多影响。这包括应用程序可以请求网络为其提供正常工作所需的带宽和延迟。管理员需要知道这些要求是什么,并与其他应用程序管理员合作,以确保满足所有应用程序的需求。安全需求也会以意想不到的方式发生变化,因此应用程序管理员需要充分了解安全服务和机制。

Applications administrator: Applications administrators need to be aware of the many implications of SDN and NFV APIs on applications. This includes the fact that applications can request the network to provide them with the bandwidth and latency needed for the application to work correctly. Administrators will need to know what these requirements are and work with other application administrators to ensure that the needs of all applications are being met. Security needs will also change in unanticipated ways so that the applications administrator needs a good understanding of security services and mechanisms.

 

图像 安全管理员:安全管理员可能需要与其他类型的管理员更密切地合作,以确保设计、实施和审核适当的策略和规则,以确保合规性。随着公司更多地转向云并鼓励用户携带自己的设备 (BYOD),对此类管理员的需求只会增加。

Security administrator: The security administrator will likely need to work more closely with other types of administrators to ensure that appropriate policies and rules are designed, enforced, and audited to ensure compliance. As companies move more to the cloud and encourage users to bring your own device (BYOD), the need for this type of administrator will only increase.

 

图像 开发人员:开发人员可能会将功能集成到 SDN 和 NFV 控制器提供的 API 中,或者编写可以向网络发出请求的应用程序。这可能需要额外的一般网络知识以及需要用于解决给定问题的特定 API 的知识。开发人员需要更详细地考虑安全性,并将安全要求传递给安全、应用程序、虚拟化和/或网络团队,以确保满足应用程序的要求并根据需要修改应用程序。

Developer: Developers might be used to integrate functionality into the APIs provided by the SDN and NFV controllers, or they may write applications that can make requests of the network. This may require additional general networking knowledge as well as knowledge of the specific APIs that need to be used for a given problem. Developers will need to think about security in greater detail and pass on security requirements to security, application, virtualization, and/or network teams to ensure that the requirements of the application are met and to modify the application as needed.

 

图像 IT经理: IT经理必须成为多面手,能够了解新的网络功能、新环境的安全需求以及将应用程序开发与网络开发集成的需求。组织内的所有人都必须培养协作心态,例如 DevOps 所要求的(第 17.2 节中讨论)。

IT manager: IT managers must become generalists with an ability to understand the new networking capabilities, the security demands of the new environment, and the need to integrate application development with network development. A collaborative mindset, such as is required by DevOps (discussed in Section 17.2), must be cultivated by all within the organization.

 

底线

Bottom Line

 

无论新的网络基础设施中添加了多少自动化工具,对强大的网络专业人员的需求都不会消失。但在新的网络环境中蓬勃发展所需的角色、责任和技能正在发生变化。

The need for a strong staff of networking professionals is not going to go away, no matter how many automated tools are added to the new networking infrastructures. But the roles, responsibilities, and skills needed to thrive in the new networking environment are changing.

 

17.2 开发运营

17.2 DevOps

 

对 SDN、NFV、云和物联网 (IoT) 的技术和管理文献的回顾表明,经常提到需要了解并能够使用 DevOps 方法来设计、安装和管理这些新网络技术的人员。本节首先概述 DevOps 的概念,然后探讨它如何应用于现代网络技术。

A review of technical and management literature on SDN, NFV, cloud, and Internet of Things (IoT) shows a frequent reference to the need for personnel who understand and can use a DevOps approach to designing, installing, and managing these new network technologies. This section first provides an overview of the concept of DevOps and then looks at how it applies to modern networking technologies.

 

开发运营基础知识

DevOps Fundamentals

 

在短短几年内,DevOps已经从一个流行词变成了一种公认的软件开发和部署方法。大大小小的企业都在试图了解 DevOps 是什么以及它对组织的影响。这种关注不仅来自 IT 高管和 CIO,还来自业务经理,他们开始认识到 DevOps 的潜力,使业务部门能够提高效率、提供更高质量的产品、更加敏捷和创新。包括 IBM 和 Microsoft 在内的主要软件组织正在快速扩展其 DevOps 产品。

In just a few short years, DevOps has gone from a buzzword to an accepted method of software development and deployment. Enterprises large and small are trying to get a grasp on what DevOps is and what impact it can have on their organizations. The attention is coming not just from IT executives and CIOs but also from business managers who are beginning to recognize the potential of DevOps to enable business units to become more efficient, deliver higher-quality product, and be more agile and innovative. Major software organizations, including IBM and Microsoft, are rapidly expanding their DevOps offerings.

 

DevOps 的重点一直是应用软件和支持软件的开发。DevOps 理念的本质是,创建产品或系统的所有参与者都应该从一开始就进行协作,包括业务部门经理、开发人员、运营人员、安全人员和最终用户组。

The focus of DevOps has been the development of application software and support software. The essence of the DevOps philosophy is that all participants in creating a product or system should collaborate from the beginning, including business unit managers, developers, operations staff, security staff, and end-user groups.

 

为了理解 DevOps 方法,我们需要简要概述应用程序开发和部署的典型阶段。如傻瓜式应用程序发布和部署中所述,大多数应用程序供应商和内部应用程序开发人员都遵循类似于以下内容的生命周期 [ MINI14 ]:

To understand the DevOps approach, we need to briefly outline the typical stages in the development and deployment of applications. As described in Application Release and Deployment for Dummies, most application vendors and in-house application developers follow a lifecycle similar to the following [MINI14]:

 

图像 开发(DEV):开发人员在测试环境中构建和部署代码,开发团队在最基本的级别上测试应用程序。当应用程序满足某些升级标准时,它就会转移到 SIT。

Development (DEV): Developers build and deploy code in a test environment, and the development team tests the application at the most basic level. When the application meets certain criteria for advancement, it moves to SIT.

 

图像 系统集成测试 (SIT):对应用程序进行测试,以确保其与现有应用程序和系统兼容。当应用程序满足此环境的标准时,就会将其部署到 UAT。

System integration testing (SIT): The application is tested to ensure that it works with existing applications and systems. When the application meets the criteria of this environment, it is deployed to UAT.

 

图像 用户验收测试(UAT):对应用程序进行测试以确保它为最终用户提供所需的功能。该环境通常类似于生产环境。当应用程序通过这些要求后,就会转入生产。

User acceptance testing (UAT): The application is tested to ensure that it provides the required features for end users. This environment usually is production-like. When the application passes these requirements, it moves to production.

 

图像 生产 (PROD):应用程序可供用户使用。通过监视应用程序的可用性和功能来捕获反馈。任何更新或补丁都会在 DEV 环境中引入并遵循相同的周期。

Production (PROD): The application is made available to users. Feedback is captured by monitoring the application’s availability and functionality. Any updates or patches are introduced in the DEV environment and follow the same cycle.

 

传统上,信息系统开发项目按顺序进行这些阶段,中间不会交付工作件,也不会在途中获得客户反馈。整个过程称为瀑布式开发。对于如此大的项目,一旦每个阶段完成,就无法轻易逆转,就像试图沿着瀑布向上移动一样。从2000年代初开始,敏捷软件开发开始受到青睐。敏捷方法强调团队合作、客户参与,最重要的是,创建整个系统的小部分或部分部分并在用户环境中进行测试。例如,具有 25 个功能的应用程序可能只完成了 5 或 6 个功能的原型,然后才添加更多功能,等等。事实证明,敏捷开发可以更有效地处理开发阶段不断变化的需求,而这种情况似乎总是会发生。

Traditionally, an information system development project proceeds sequentially through these stages, without delivering working pieces in between and without obtaining customer feedback on the way. The entire process is called waterfall development. With such large projects, once each stage is completed, it cannot be easily reversed, much like trying to move up a waterfall. Beginning in the early 2000s, agile software development began to gain favor. The agile methods emphasize teamwork, customer involvement and, most significantly, the creation of small or partial pieces of the total system that are tested in a user environment. For example, an application with 25 features might be prototyped with only 5 or 6 thoroughly completed before adding more, and so on. Agile development has proven to be more effective in dealing with changing requirements during the development phase, which always seem to occur.

 

敏捷开发的特点是以迭代循环的方式频繁发布,并以可用于支持协作的工具的形式实现一定程度的自动化。DevOps 将这一理念进一步发展。它的特点是快速发布、嵌入整个流程的反馈循环以及一套全面的工具和记录的最佳实践来自动化 DevOps 流程。

Agile development is characterized by frequent releases, in an iterated loop fashion, with a certain amount of automation in the form of tools that can be used to support collaboration. DevOps takes this philosophy much further. It is characterized by rapid releases, feedback loops embedded throughout the process, and a comprehensive set of tools and documented best practices to automate the DevOps process.

 

图 17.1来自DevOps for Dummies,提供了 DevOps 流程的概述 [ SHAR15 ]。

Figure 17.1, from DevOps for Dummies, provides an overview of the DevOps process [SHAR15].

 
图像

图 17.1 DevOps 参考架构

FIGURE 17.1 DevOps Reference Architecture

 

DevOps 可以被视为四个主要活动的重复周期:

DevOps can be viewed as a repetitive cycle of four major activities:

 

图像 计划和衡量:重点关注业务部门及其规划流程。规划过程将业务需求与开发过程的结果联系起来。这项活动可以从总体计划的小而有限的部分开始,确定开发所需软件所需的成果和资源。该计划必须包括开发用于评估软件的措施,不断适应和调整,与客户需求相关,并不断更新开发计划和测量计划。测量功能还可以应用于 DevOps 流程本身,以确保使用正确的自动化工具并持续进行协作。

Plan and measure: Focuses on business units and their planning process. The planning process relates business needs to the outcomes of the development process. This activity can start with small, limited portions of the overall plan, identifying outcomes and resources needed to develop the required software. The plan must include developing measures that are used to evaluate software, adapt and adjust continually, relate to customer needs, and continually update the development plan and the measurement plan. The measurement function can also be applied to the DevOps process itself to ensure that the right automated tools are being used and that collaboration is ongoing.

 

图像 开发和测试:专注于协作开发、新代码的持续集成和持续测试。它专注于简化开发和测试团队的能力。有用的工具是根据测量结果自动跟踪测试,以及虚拟化测试台,使测试能够在孤立但真实的环境中进行。

Develop and test: Focuses on collaborative development, continuous integration of new code, and continuous testing. It focuses on streamlining development and testing teams’ capabilities. Useful tools are automated tracking of testing against measured outcomes and virtualized test beds that enable testing in an isolated but real-world environment.

 

图像 发布和部署:提供持续交付管道,自动部署到测试和生产环境。发布在利用自动化的协作环境中集中管理。部署和中间件配置是自动化的,然后成熟为自助服务模型,为个人开发人员、团队、测试人员和部署经理提供持续构建、配置、部署、测试和推广的能力。基础设施和中间件配置演变为类似于应用程序部署的自动化自助服务功能。运营工程师不再手动改变环境;相反,他们专注于优化自动化。

Release and deploy: Provide a continuous delivery pipeline that automates deployment to test and production environments. Releases are managed centrally in a collaborative environment that leverages automation. Deployments and middleware configurations are automated and then mature to a self-service model that provides individual developers, teams, testers, and deployment managers with a capability to continuously build, provision, deploy, test, and promote. Infrastructure and middleware provisioning evolves to an automated then self-service capability similar to application deployment. Operations engineers cease manually changing environments; instead, they focus on optimizing the automation.

 

图像 监控和优化:包括持续监控、客户反馈和优化的实践,以监控应用程序在发布后的执行情况,从而使企业能够根据需要调整其需求。监控客户体验以优化业务应用程序中的体验。优化反映业务价值实现的客户关键绩效指标是持续改进计划的一部分。

Monitor and optimize: Includes the practices of continuous monitoring, customer feedback, and optimization to monitor how applications are performing post-release, allowing businesses to adapt their requirements as needed. Customer experience is monitored to optimize experiences within business applications. Optimization to customer key performance indicators that reflect business value attainment is part of the continuous improvement program.

 

图 17.2来自 Microsoft 白皮书Enterprise DevOps [ MICR15 ],提供了关于 DevOps 的另一个有用的视角。DevOps 旨在提高应用程序整个生命周期管理过程的效率和有效性。随着敏捷软件开发的引入,组织开发了应用程序生命周期管理 (ALM)实践,将业务、开发、质量保证和运营功能集成在一个良性循环中,从而在交付持续价值时更加敏捷。

Figure 17.2, from the Microsoft white paper Enterprise DevOps [MICR15], provides another useful perspective on DevOps. DevOps is intended to improve the efficiency and effectiveness of the process of managing applications throughout their lifecycle. With the introduction of agile software development, organizations have developed application lifecycle management (ALM) practices to integrate the business, development, QA, and operations functions in a virtuous cycle for greater agility in delivering continuous value.

 
图像

图 17.2现代应用程序生活方式管理

FIGURE 17.2 Modern Application Lifestyle Management

 

如图17.2的 a 部分所示,ALM 实践在发展过程中遇到了敏捷、有效地交付最终产品的许多障碍。这些源于开发和运营职能之间存在的传统分歧。这里说明的一个关键主题是,为了满足功能需求而降低运营需求优先级的危险。DevOps 旨在解决这些障碍,如图17.2的 b 部分所示。

As part a of Figure 17.2 shows, ALM practices, as they have developed, have encountered a number of impediments to agile and effective delivery of the final product. These arise from the conventional divide that exists between development and operations functions. A key theme illustrated here is the danger that operations requirements are being de-prioritized to accommodate functional needs. DevOps intends to address these impediments, as shown in part b of Figure 17.2.

 

从根本上来说,DevOps 依赖于两个关键基础:协作和自动化。协作始于管理策略,以鼓励和要求软件开发和部署过程中的各个参与者一起工作。自动化由支持协作的工具组成,旨在尽可能自动化图 17.117.2所示的循环过程。

Fundamentally, DevOps rests on two key foundations: collaboration and automation. Collaboration begins with management policy to encourage and require the various actors in the software development and deployment process to work together. Automation consists of tools that support that collaboration and are designed to automate as much as possible the cyclic process illustrated in Figures 17.1 and 17.2.

 

许多公司现在提供 DevOps 自动化工具。例如,2014 年,Microsoft 推出了许多作为 Visual Studio 产品一部分的工具。Visual Studio 是一组开发人员工具和服务,可帮助用户在 Microsoft 平台和云中创建应用程序。其中一项新增内容是发布管理软件,该软件可以自动执行将软件程序从开发转移到生产所需的许多杂务,例如向适当的经理发出警报,并准备生产服务器来运行该软件。微软为 Visual Studio 引入的另一个 DevOps 功能称为云部署项目,它允许组织捕获和重用新应用程序的配置设置,以加快部署时间。配置设置或蓝图,在虚拟机 (VM) 中捕获,然后可以将其部署到 Microsoft Azure 云中并保存应用程序。微软还推出了其Application Insights软件。Application Insights 提供了一种检测应用程序的方法,以便开发人员可以确定它是否正常工作以及人们如何使用该软件程序。这可以帮助开发人员查明错误,并尽早洞察行为问题,例如由于糟糕的重新设计而导致使用突然下降。以及人们如何使用该软件程序。这可以帮助开发人员查明错误,并尽早洞察行为问题,例如由于糟糕的重新设计而导致使用突然下降。以及人们如何使用该软件程序。这可以帮助开发人员查明错误,并尽早洞察行为问题,例如由于糟糕的重新设计而导致使用突然下降。

A number of companies now offer DevOps automation tools. For example, in 2014 Microsoft introduced a number of tools that work as part of their Visual Studio offerings. Visual Studio is a set of developer tools and services to assist users in creating apps on Microsoft platforms and in the cloud. One of the additions is releasing management software that automates many of the chores that are needed to be done to move a software program from development to production, such as alerting the appropriate managers, and preparing the production server to run the software. Another DevOps-minded feature Microsoft has introduced for Visual Studio is called Cloud Deployment Projects, which allows organizations to capture and reuse the configuration settings of new applications, in order to speed the deployment times. The configuration settings, or blueprints, are captured within a virtual machine (VM), which then can be deployed, holding the application, in the Microsoft Azure cloud. Microsoft also introduced its Application Insights software. Application Insights provides a way to instrument an application so the developers can determine if it is working correctly, and how people are using the software program. This could help developers pinpoint bugs, as well as get early insight into behavioral issues, such as a sudden fall-off of use due to a bad redesign.

 

对 DevOps 的需求

The Demand for DevOps

 

IT 部门越来越依赖 DevOps。例如,招聘网站 Dice 上最近的一份报告 [ DICE15 ] 指出,“具有 DevOps 和工程背景的高级系统管理员处于其职业生涯的正确领域。在硅谷这样的市场,招募 DevOps 人才可能是一件令人头疼的事情。针对 DevOps 经验的多次报价、还价和薪资上涨并不罕见。” 表 15.1显示了美国六个城市 100 英里半径内 DevOps 工程师、经理、架构师等活跃职位列表的数量。DevOps 显然已经成为科技雇主正在寻求的一项技能。

IT departments are increasingly relying on DevOps. For example, a recent report [DICE15] on the job-listing site Dice stated that “senior system administrators with DevOps and an engineering background are in the right area of their careers. In markets like Silicon Valley, recruiting DevOps talent can be a headache. It’s not unusual for multiple offers, counteroffers, and rising salaries for DevOps experience.” Table 15.1 shows the number of active job listings for DevOps engineers, managers, architects, and so on within a 100-mile radius of six U.S. cities. DevOps clearly has “arrived” as a skill set that tech employers are seeking.

 
图像

表 17.1 Dice 上按地点划分的最新 DevOps 职位列表(2015 年 5 月)

TABLE 17.1 Recent DevOps Job Listings on Dice by Location (May 2015)

 

网络 DevOps

DevOps for Networking

 

尽管 DevOps 的创建和发展是为了支持应用程序开发和部署过程,但它也可以应用于网络环境中。这是因为网络基础设施越来越由软件定义和软件驱动:

Although DevOps was created and has evolved to support the application development and deployment process, it can also be applied in the networking context. This is because the networking infrastructure is increasingly software defined and software driven:

 

图像 软件定义网络 (SDN): SDN 定义软件中的网络行为。控制和应用程序级别的实用程序和应用程序建立在控制平面和数据平面之间的分离提供的基本功能的基础上。网络设计人员和网络管理员需要能够快速响应不断变化的网络条件和要求以及新的客户驱动应用程序的需求。

Software-defined networking (SDN): SDN defines network behavior in software. Utilities and apps at the control and application level build on the basic capability provided by the split between the control and data planes. Network designers and network managers need to be able to rapidly respond to changing network conditions and requirements and the need for new customer-driven applications.

 

图像 网络功能虚拟化 (NFV): NFV 在软件中定义网络的结构和功能,并部署虚拟计算、存储和网络功能。NFV 软件环境很复杂,涉及主机虚拟网络功能 (VNF) 以及管理和运营软件的交互。这是一个需要对不断变化的条件和需求做出快速响应的环境。

Network functions virtualization (NFV): NFV defines the structure and functioning of the network in software, with the deployment of virtual compute, storage, and network functions. The NFV software environment is complex, involving the interaction of a host virtual network functions (VNFs) and management and operations software. This is an environment that requires rapid response to changing conditions and demands.

 

图像 QoS/QoE:服务质量 (QoS),尤其是体验质量 (QoE) 的需求决定了由最终用户分析驱动的流程,并且最好通过快速开发和部署周期来提供服务,以确保网络正常运行响应最终用户的需求。

QoS/QoE: The demands of quality of service (QoS) and especially quality of experience (QoE) dictate a process that is driven by end-user analytics and the is best served by a rapid development and deployment cycle to ensure that the network is responsive to the end user’s needs.

 

图像 云:无论是 IaaS、PaaS 还是 SaaS,无论是公共云还是私有云,云管理者和提供商都需要不断修改和增强云产品。为了满足用户的期望,这必须以高度敏捷的方式完成。

Cloud: Whether it be IaaS, PaaS, or SaaS, and whether it be public or private cloud, cloud managers and providers have a constant, ongoing need to modify and enhance cloud offerings. To meet user expectations, this must be done in a highly agile manner.

 

图像 物联网(IoT):虽然物联网涉及大量物理“东西”,但从雾计算边缘到中央应用平台的整体架构,需要快速响应不断变化的条件以提供预期的性能,并且需要不断升级并修改网络以应对快速变化的物联网设备组合。

Internet of Things (IoT): Although IoT involves lots of physical “stuff,” the overall architecture from the fog computing edge to the central application platforms, requires rapid response to changing conditions to provide expected performance, as well as the need to constantly upgrade and modify the networks to deal with a rapidly changing mix of IoT devices.

 

简而言之,DevOps 方法不仅适用于应用程序、Web 服务器软件等;还适用于其他应用程序。它也适用于网络基础设施。对于设计和部署网络基础设施软件以及按需修改网络基础设施的网络经理和网络工程师来说,DevOps 方法可能涉及多个方面,包括以下方面:

In a nutshell, a DevOps approach is not just for applications, web server software, and the like; it is also for network infrastructure. For network managers and network engineers who are designing and deploying network infrastructure software and who are modifying the network infrastructure on demand, the DevOps approach can involve a number of aspects, including the following:

 

图像加强与网络运营人员的协作,以预测网络变化将如何影响日常运营,制定指标衡量变更的影响,并制定在开发和运营之间建立往返关系的程序。

Increased collaboration with network operations staff so as to anticipate how network changes will impact day-to-day operations, developing metrics for measuring the impact of changes, and developing procedures for creating a back-and-forth between development and operations.

 

图像检查软件和网络基础设施部署管道,重点关注管理管道流的流程,以确定如何提高效率并消除障碍。

Examining the software and network infrastructure deployment pipeline with a focus on the processes that govern pipeline flow to determine how to enhance efficiency and remove impediments.

 

图像采用自动化工具来消除重复性任务。

Adopting automation tools to eliminate repetitious tasks.

 

本书讨论的所有网络技术都适用于 DevOps 方法。但也许最突出的领域是云计算/网络,其中提供商似乎在采用 DevOps 技术方面处于领先地位。正如 Dice 报告中所指出的,为什么 DevOps 是云应用程序的 CPR,[ DICE13],“云自然而然地适合 DevOps,因为它很大程度上由 API 和框架驱动,可以轻松地合并到自动化的 DevOps 流程中。正是 API 驱动的自助服务配置使云成为了云,因此 DevOps 非常适合涉及云的情况。这意味着成功或进入云职位的一个好方法是提高您的脚本编写和 API 定位技能。能够展示公有云提供商 API 或私有云管理框架方面的经验,对于构建云技能组合大有帮助,这将使您对潜在(和当前)雇主更具吸引力。”

All the networking technologies discussed in this book lend themselves to the DevOps approach. But perhaps the most prominent area is cloud computing/networking, where providers seem to be ahead of the curve in employing DevOps techniques. As pointed out in the Dice report, Why DevOps Is CPR for Cloud Applications, [DICE13], “The cloud lends itself naturally to DevOps in that it’s heavily driven by APIs and frameworks that can easily be incorporated into automated, DevOps processes. It is the API-driven, self-service provisioning that makes the cloud the cloud, so DevOps is a natural fit where clouds are involved. That means a good way to succeed or move into a position in the cloud is to polish your scripting and API-targeting skills. Being able to demonstrate experience with public cloud provider APIs or private cloud management frameworks will go a long way toward building a portfolio of cloud skills that will make you more attractive to prospective (and current) employers.”

 

信息周刊》文章 [ MACV15 ] 指出,随着 DevOps 的鼓点越来越响,网络工程师普遍担心的是对可编程性的关注。特别是,工程师担心他们可能需要编写代码(这是正确的,考虑到诸如基础设施即代码之类的短语)。他们担心自己可能不具备所需的技能和技能组合。对此有两件事需要说。首先,可能涉及的编码类型是脚本编写,而不是使用 C、C++、Java 等进行大型软件开发。网络工程师使用 Python、Perl、Bash 和 Curl 等工具来编写跨各种设备的常见任务脚本。要将这种脚本方法转移到 DevOps 领域,网络工程师需要学习一些网络 DevOps 环境中不可或缺的工具。

An Information Week article [MACV15] points out a common concern among network engineers as the beating of the DevOps drum gets louder is the associated focus on programmability. In particular, engineers are concerned they may be required to, well, code (rightly so, given phrases like infrastructure as code). They are concerned about the skills and skill sets they need that they may not have. Two things need to be said about that. First, the type of coding likely to be involved is scripting, rather than large software development with C, C++, Java, and so on. Network engineers use tools such as Python, Perl, Bash, and Curl to script common tasks across a variety of devices. To move this scripting approach into the DevOps realm, the network engineer needs to learn some tools that are integral to a networking DevOps environment.

 

版本控制系统就是这样的工具之一,例如 Git。除了作为软件源代码的存储库之外,版本控制系统还可以保存路由器、防火墙、交换机和 Apache Web 服务器等基础设施的配置数据。在版本控制系统中维护配置数据提供了变更控制的一个要素。它允许您跟踪诸如何时引入防火墙规则或何时添加 Apache 虚拟主机之类的事情。为设备任务编写的脚本(例如,Python)可以存储在 Git 中,并在其中进行版本控制和控制。此外,借助 Git,可以使用脚本来自动执行填充版本控制数据的大部分任务。此外,配置管理工具(例如 Puppet 或 Chef)可用于生成存储在 Git 中的模板。

One such tool is a version control system, such as Git. In addition to being a repository for software source code, version control systems can hold configuration data for infrastructure such as routers, firewalls, switches, and Apache web servers. Maintaining configuration data in a version control system provides an element of change control. It allows you to track things such as when a firewall rule was introduced or when an Apache vhost was added. The scripts written for device tasks (for example, in Python) can be stored in Git, where they are versioned and controlled. Further, with Git, scripting can be used to automate much of the task of populating the version control data. In addition, configuration management tools, such as Puppet or Chef, can be used to generate templates that are stored in Git.

 

第二点是,网络 DevOps 的范围不仅仅限于脚本编写,例如与相关人员合作优化流程并以协作方式管理基础设施,同时考虑到开发、运营和用户需求。另一项正在进行的任务是确定您需要衡量什么(以及如何衡量)来满足首先推动 DevOps 的业务优先级:加快上市时间、降低风险和降低成本。

A second point to make is that DevOps for networking is broader than just scripting, such as working with relevant staff to optimize processes and manage the infrastructure in a collaborative fashion that takes into account development, operations, and user needs. Another ongoing task is determining what (and how) you need to measure to meet the business priorities that are driving DevOps in the first place: faster time to market, reduced risk, and lower costs.

 

即便如此,掌握特定软件工具和软件包的技能是建立 DevOps 信誉的好方法。Dice 报告《DevOps 工程师的关键技能》 [ DICE14 ] 列出了以下四个主要技能和工具,以在 DevOps 角色中取得成功:

Even so, the mastery of skills with particular software tools and packages is a good way to build DevOps credibility. The Dice report Critical Skills for DevOps Engineers, [DICE14] lists the following as the four main clusters of skills and tools to succeed in a DevOps role:

 

图像 Puppet、Chef、Vagrant、CFEngine 和 Bcfg2:保持一致的系统性能至关重要。这意味着可用、快速且可靠。使用这些配置管理工具的经验将帮助您以可预测的方式重复管理软件和系统更改。

Puppet, Chef, Vagrant, CFEngine, and Bcfg2: Maintaining consistent system performance is critical. This means being up and available, as well as fast and reliable. Experience with these configuration management tools will help you manage software and system changes repeatedly and predictably.

 

图像 Jenkins、Maven、Ant、CruiseControl 和 Hudson:您工作的一个关键部分是让软件的创建和部署变得更快、更容易。使用此类工具的经验将有助于确保您拥有让事情顺利进行所需的东西。

Jenkins, Maven, Ant, CruiseControl, and Hudson: A key part of your job is making it faster and easier to create and deploy software. Experience with tools like these will help ensure you have what you need to keep things moving.

 

图像 Git、SVN、CVS、Visual Studio Online 和 Perforce:版本控制对于 DevOps 非常重要,这样开发人员就不会互相妨碍。使用这些源代码控制系统可以在软件项目上进行协作,并可以轻松管理更改和更新。

Git, SVN, CVS, Visual Studio Online, and Perforce: Version control is important to DevOps so developers don’t get in each other’s way. Use of these source control systems allows for collaboration on software projects and makes it easy to manage changes and updates.

 

图像 Nagios、Munin、Zabbix、Sensu、LogStash、CloudWatch、Splunk 和 NewRelic:作为 DevOps 专业人员,您必须始终密切关注性能。虽然每个工具的具体情况有所不同,但您应该了解每个工具背后的理念和原则,以便您可以有效地实施它们。

Nagios, Munin, Zabbix, Sensu, LogStash, CloudWatch, Splunk, and NewRelic: As a DevOps professional, you must always keep tabs on performance. While the specifics of each tool are different, you should know the philosophy and principles behind each of them so that you can implement them effectively.

 

集群中一种技术的丰富经验通常只需几周的培训就可以很好地转化为其他技术,并且由于其中许多工具相对较新,因此您应该愿意并且能够根据需要将现有知识应用到新工具中。角色。

Strong experience with one technology in a cluster usually translates well to the others with only a few weeks of training, and because many of these tools are relatively new, you should be willing and able to apply your existing knowledge to new tools as needed for the role.

 

DevOps 网络产品

DevOps Network Offerings

 

SDxCentral 最新的年度 NVF 报告(SDxCentral 网络功能虚拟化报告,2015 版)很好地表明了现代网络提供商对 DevOps 需求的认识不断增强。以下公司被列为提供 DevOps 相关产品:

A good indication of the growing awareness of the need for DevOps for modern network providers is found in the most recent annual NVF report from SDxCentral (SDxCentral Network Functions Virtualization Report, 2015 Edition). The following companies are listed as providing DevOps-related products:

 

图像 Brocade Mobile Analytics:提供完整的移动网络可视性功能堆栈。模块化产品架构适合 DevOps 模型,用于快速部署满足移动运营商独特需求的定制解决方案。

Brocade Mobile Analytics: Provides a full mobile network visibility capability stack. Modular product architecture lends itself to DevOps model for rapidly deploying custom solutions that fulfill mobile operators’ unique needs.

 

图像 红帽企业 Linux Atomic Host: NFV 软件平台。它包含的工具使 IT 组织能够快速实现 DevOps 实践的优势,包括更快地交付功能和持续改进。

Red Hat Enterprise Linux Atomic Host: An NFV software platform. It includes tools to enable IT organizations to quickly realize the benefits of DevOps practices, including faster delivery of features and continual improvement.

 

图像 SuperCloud:供应商中立的 NFV 服务编排平台。使数据中心和云服务提供商能够部署和管理 VNF 和 SDN 应用程序。从 DevOps 和服务自动化思维出发设计,以满足支持 IT 应用程序开发人员的网络管理员的需求。

SuperCloud: A vendor-neutral NFV services orchestration platform. Enables data center and cloud service providers to deploy and manage VNF and SDN applications. Designed from DevOps and service automation mindset to fulfill the needs of network administrators that support IT application developers.

 

图像 CloudShell:面向 DevOps 的云管理平台,提供对由裸机和虚拟化组件组成的复杂网络环境的自助访问。CloudShell 用于自动化 DevOps 实验室和数据中心,以进行开发、测试、培训、支持、概念验证和开放社区。CloudShell 将自己定位为领先的网络 DevOps 自动化平台。

CloudShell: A DevOps-oriented cloud management platform that provides self-service access to complex network environments comprised of bare metal as well as virtualized components. CloudShell is used to automate DevOps labs and data centers for development, testing, training, support, proof of concept, and open communities. CloudShell markets itself as the leading automation platform for network DevOps.

 

其产品反映或支持 DevOps 的 NFV 和 SDN 相关供应商名单在未来几年可能会急剧增长。

The list of NFV- and SDN-related vendors whose offerings reflect or support DevOps is likely to grow dramatically in the next few years.

 

思科开发网

Cisco DevNet

 

2015 年,思科宣布了一种名为 DevNet 的新方法,供思科客户和合作伙伴采用 DevOps。DevNet 旨在成为客户、独立软件供应商、独立系统集成商和思科合作伙伴之间的企业网络开发人员社区,开发运行未来可编程网络的软件应用程序。

In 2015, Cisco announced a new approach, known as DevNet for Cisco customers and partners for employing DevOps. DevNet is meant to be a community of the enterprise network developers among its customers, its independent software vendors, independent systems integrators, and Cisco partners, producing software applications to run the programmable network of the future.

 

Cisco DevNet 通过合作伙伴 Mulesoft 提供软件开发工具包 (SDK)、可视化建模工具、即用型代码示例以及更易于访问的基于 REST 的 API。此外,DevNet 是一个社区,成员可以相互依赖以共享经验和支持。此外,DevNet 将作为思科 SDN(其以应用程序为中心的基础设施)方法的教育和交付工具。

Cisco DevNet provides software developer kits (SDKs), visual modeling tools, ready-to-use code samples, and more accessible REST-based APIs through partner Mulesoft. Also, DevNet is a community where members may come to rely on each other for shared experience and support. In addition, DevNet will serve as an education and delivery vehicle for the Cisco approach to SDN, its Application Centric Infrastructure.

 

关于 DevOps 现状的结论

Conclusion on the Current State of DevOps

 

本章用大量篇幅来讨论 DevOps,原因有两个。首先,DevOps 对于管理可通过 NFV 和 SDN 等技术部署的极其复杂的网络变得越来越重要。其次,对于有事业心的人来说,DevOps 专业知识是一项关键技能这一点可能不太明显更重要的是需要了解 SDN、NFV、QoE 等。具有 DevOps 技能的员工或求职者将在未来拥有竞争优势。

This chapter devotes considerable space to DevOps for two reasons. First, DevOps will become increasingly critical for managing the stupendously complex networks that can be deployed with technologies such as NFV and SDN. Second, it is perhaps less obvious to the career-minded individual that DevOps know-how is a key skill than is the need for an understanding of SDN, NFV, QoE, and so on. The employee or job seeker with DevOps skills will have a competitive advantage going forward.

 

17.3 培训和认证

17.3 Training and Certification

 

本书讨论的技术正在迅速主导网络行业以及私营部门和政府用户。读完本书的网络专业人士现在应该相信有必要学习这些技术并展示它们的能力。随着所有这些变化的发生,专家警告网络专业人士,如果他们不增加新技能,他们就会被抛在后面。培训和认证是实现这一目标的理想工具。2013 年对 700 名网络专业人士进行的一项调查 [ BORT13 ] 中,约 60% 的人表示获得认证后会找到一份新工作;50% 的人表示他们获得了更多的薪水,40% 的人表示他们的薪水因认证而直接增加了 10% 以上;29% 的人表示获得认证会带来晋升。

The technologies discussed in this book are rapidly coming to dominate the networking industry and both private sector and government users. Networking professionals who have got this far in the book should by now be convinced of the need to learn these technologies and demonstrate competence in them. With all the changes taking place, experts warn networking pros that they will be left behind if they do not add new skills. Training and certification are the ideal vehicles for this. In a 2013 survey [BORT13] of 700 network professionals, Some 60 percent said a certification led to a new job; 50 percent said they earned more pay, with 40 percent saying their pay increased by more than 10 percent directly because of a certification; and 29 percent said a certification led to a promotion.

 

幸运的是,有大量且不断增长的机会可以通过认证计划学习如何使用新的网络技术。

Fortunately, there is a large and growing number of opportunities to learn how to use the new networking technologies through certification programs.

 

认证计划

Certification Programs

 

表 17.217.4分别展示与 SDN、网络虚拟化和云相关的一些可用认证计划。其中许多都强调提供培训和认证的公司的产品,因此网络专业人员可以选择能够增强其当前职位或他们想要寻求的职位的技能的计划。至于物联网,传统来源的产品很少。最近推出的一项产品是思科工业网络专家证书。该培训和认证计划面向制造、过程控制以及石油和天然气行业的信息技术 (IT) 和操作技术 (OT) 专业人员,他们将参与网络工业产品和解决方案的实施、操作和支持。

Tables 17.2 through 17.4 show some of the certification programs available related to SDN, network virtualization, and the cloud, respectively. Many of these emphasize the products of the companies that offer the training and certification, and so networking professionals can choose programs that either enhance their skills for their current position or for positions they want to seek. As for IoT, there are few offerings from the traditional sources. One recently introduced offering is the Cisco Industrial Networking Specialist Certificate. This training and certification program is for information technology (IT) and operational technology (OT) professionals in the manufacturing, process control, and oil and gas industries, who will be involved with the implementation, operation, and support of networked industrial products and solutions. We can expect to see many more such offerings.

 

表 17.5列出了网络相关领域的许多其他认证服务。

Table 17.5 lists a number of other certification offerings in networking-related fields.

 
图像
图像
图像
图像
图像
图像
图像
图像

表 17.5其他网络相关认证计划

TABLE 17.5 Other Networking-Related Certification Programs

 
图像

表 17.2 SDN 认证计划

TABLE 17.2 SDN Certification Programs

 
图像

表 17.3网络虚拟化认证计划

TABLE 17.3 Network Virtualization Certification Programs

 
图像
图像

表 17.4云认证计划

TABLE 17.4 Cloud Certification Programs

 

IT技能

IT Skills

 

TechPro Research [ TECH14 ] 对 1156 名受访者进行的一项全球调查显示,许多人担心他们当前的 IT 技能将会过时。为了避免过时,许多受访者计划获得额外的 IT 认证或学位,其中 57% 的受访者计划在当前工作角色内或当前工作角色之外获得 IT 认证。网络专业人士有大量机会获得这些证书并利用他们的教育来维持高水平的工作保障。

A global survey of 1156 respondents by TechPro Research [TECH14] revealed that many people fear that their current IT skill set will become obsolete. To stave off obsolescence, many respondents are planning to obtain additional IT certifications or degrees, with 57 percent planning for IT certifications either within their current job role or outside of their current job role. There are vast opportunities for the networking professional both to obtain these credentials and to leverage their education to maintain a high level of job security.

 

需求技能 Dice 排名是考虑您可能需要哪些特定技能的有用工具。其中一些技能与网络任务没有直接关系,但考虑到新网络环境的协作性质,这些技能可以增强网络专业人员的简历。表 17.6显示了最新 Dice 薪资调查中薪资最高的技能,而表 17.7显示了需求增长最快的技能。

A useful tool in considering what specific skills you might need are the Dice rankings of skills in demand. Some of these are not directly related to networking tasks, but given the collaborative nature of the new networking environment, these skills can strengthen the network professional’s resume. Table 17.6 shows the skills that commanded the highest salaries in the latest Dice salary survey, while Table 17.7 shows those skills for which demand is growing the fastest.

 
图像

资料来源:2015 年 Dice Tech 薪资调查

Source: 2015 Dice Tech Salary Survey

 

表 17.6高薪技能

TABLE 17.6 Top-Paying Skills

 
图像

注:按受欢迎程度降序排列。这些不是需求量最大的技能,而是需求增长最快的技能。

Note: Descending order of popularity. These are not the skills most in demand, but the skills for which demand is growing most rapidly.

 

资料来源:Dice,2015 年 4 月

Source: Dice, April 2015

 

表 17.7趋势最快的技能

TABLE 17.7 Fastest Trending Skills

 

17.4 在线资源

17.4 Online Resources

 

许多在线资源可以帮助您维持和发展您的职业生涯,包括以下资源:

Numerous online resources can help you maintain and further your career, including the following:

 

图像 ACM 职业资源: ACM 是 CS 职业信息的绝佳来源。资源包括以下内容:

ACM Career Resources: ACM is an excellent source of CS career information. Resources include the following:

 

图像 面向毕业生的在线资源,其中包含指向职业网站的有用链接列表 ( http://www.acm.org/membership/membership/student/resources-for-grads )。

Online Resources for Graduating Students, which has a useful list of links to career websites (http://www.acm.org/membership/membership/student/resources-for-grads).

 

图像 ACM 职业与就业中心 ( http://jobs.acm.org/ )是计算机行业求职者和雇主相互联系的地方。

ACM Career and Job Center (http://jobs.acm.org/) is a place for job seekers and employers in the computing industry to connect with each other.

 

图像 计算机职业网站 ( http://computingcareers.acm.org/ )提供为计算机科学职业做准备的指导和资源。

Computer Careers website (http://computingcareers.acm.org/) provides guidance and resources for preparing for a career in computer science.

 

图像 IEEE 简历实验室:在线服务,允许 IEEE 成员使用针对求职过程每个步骤量身定制的专用工具来制作简历。优秀资源(https://ieee.optimalresume.com/index.php)。

IEEE Resume Lab: Online service that allows IEEE members to develop a resume or CV using specialized tools tailored for each step of the job seeking process. Excellent resource (https://ieee.optimalresume.com/index.php).

 

图像 IEEE 计算机协会构建你的职业生涯 ( http://www.computer.org/web/careers ):另一个极好的职业信息来源。

IEEE Computer Society Build Your Career (http://www.computer.org/web/careers): Another excellent source of career information.

 

图像 IEEE 求职网站:另一个优秀的职业信息来源,以及具体的职位线索 ( http://careers.ieee.org/ )。

IEEE Job Site: Yet another excellent source of career information, plus specific job leads (http://careers.ieee.org/).

 

图像 ComputerWorld IT 主题中心 ( http://careers.ieee.org/ ):材料范围广泛,包括新闻、白皮书、职业中心、深度报告等。

ComputerWorld IT Topic Center (http://careers.ieee.org/): Wide range of material, including news, white papers, career center, in-depth reports, and so on.

 

图像 计算机工作 ( http://computerjobs.com/us/en/IT-Jobs/ ):列出了按主要大都市市场和技能组合分类的数千个可搜索工作机会。

Computer Jobs (http://computerjobs.com/us/en/IT-Jobs/): Lists thousands of searchable job opportunities categorized by major metropolitan markets and skill sets.

 

图像 职业概述 ( http://www.careeroverview.com/ ):包含为在计算机、信息技术或其他高科技领域寻求职业机会的专业人士提供的职位、求职网站和就业资源。良好的链接来源。

Career Overview (http://www.careeroverview.com/): Contains jobs, job search websites and employment resources for professionals seeking career opportunities in computers, information technology, or another high-tech field. Good source of links.

 

图像 DICE ( http://www.dice.com/ ):经常被评为全球信息技术行业职位的最佳招聘网站。网站还包括有关及时主题、薪资调查和所需技能讨论的每月文章。

DICE (http://www.dice.com/): Frequently rated the best job site for positions worldwide in the information technology industry. Site also includes monthly article on timely topics, salary surveys, and discussions of skills in demand.

 

您可能会发现有用的另一个资源是我维护的计算机科学学生资源网站,网址为http://www.computersciencestudent.com。该网站适用于专业人士和学生。本网站的目的是为计算机科学专业的学生和专业人士提供文档、信息和链接。链接和文档分为以下类别:

Another resource that you might find useful is the Computer Science Student Resources site that I maintain at http://www.computersciencestudent.com. This site is for professionals as well as students. The purpose of this site is to provide documents, information, and links for computer science students and professionals. Links and documents are organized into these categories:

 
图像

计算机科学学生资源

Computer Science Student Resources

 

图像 数学:包括基本数学复习、排队分析入门、数字系统入门以及许多数学站点的链接。

Math: Includes a basic math refresher, a queuing analysis primer, a number system primer, and links to numerous math sites.

 

图像 操作方法:文献检索、解决作业问题、撰写技术报告和准备技术演示的建议和指导。

How-to: Advice and guidance for literature searching, solving homework problems, writing technical reports, and preparing technical presentations.

 

图像 研究资源:重要论文集、技术报告和参考书目的链接。

Research resources: Links to important collections of papers, technical reports, and bibliographies.

 

图像 写作:许多有助于提高写作技巧的有用网站和文档。

Writing: A number of useful sites and documents for improving your writing skills.

 

图像 其他有用:各种其他有用的文档和链接。

Other useful: A variety of other useful documents and links.

 

图像 职业:与职业建设相关的有用链接和文档。此页面包含本章前面列出的所有站点的链接以及更多站点。

Careers: Useful links and documents related to career building. This page includes links to all of the sites listed earlier in this chapter, plus more.

 

17.5 参考文献

17.5 References

 

BORT13 Bort, J.“IT 证书会给你带来工作和加薪吗?调查显示是的。” 网络世界,2011 年 11 月 14 日。

BORT13: Bort, J. “Will IT certs get you jobs and raises? Survey says yes.” Network World, November 14, 2011.

 

DICE13骰子。“为什么 DevOps 是云应用程序的 CPR。” Dice 特别报告,2013 年 11 月。

DICE13: Dice. “Why DevOps Is CPR for Cloud Applications.” Dice Special Report, November 2013.

 

DICE14骰子。“DevOps 工程师的关键技能。” Dice 特别报告,2014 年 8 月。

DICE14: Dice. “Critical Skills for DevOps Engineers.” Dice Special Report, August 2014.

 

DICE15骰子。“聚焦 DevOps。” 骰子特别报告,2015 年。

DICE15: Dice. “Spotlight on DevOps.” Dice Special Report, 2015.

 

HALE14 Hales,J. SDN:它将如何影响您以及为什么您应该关心。全球知识白皮书,2014 年。

HALE14: Hales, J. SDN: How It Will Affect You and Why You Should Care. Global Knowledge white paper, 2014.

 

MACV15 MacVitie, L.“网络工程师:不要害怕代码。” 信息周刊,2015 年 3 月 2 日。

MACV15: MacVitie, L. “Network Engineers: Don’t Fear the Code.” Information Week, March 2, 2015.

 

METZ14b Metzler, J. IT 和网络专业人员的角色变化。网络期刊,2014 年 7 月。

METZ14b: Metzler, J. The Changing Role of the IT & Network Professional. Webtorials, July 2014.

 

MICR15微软。企业 DevOps。微软白皮书,2015 年。

MICR15: Microsoft. Enterprise DevOps. Microsoft white paper, 2015.

 

MINI14 Minick, E.、Rezabek, J. 和 Ring, C.应用程序发布和部署傻瓜书。纽约:威利,2014。

MINI14: Minick, E., Rezabek, J., and Ring, C. Application Release and Deployment for Dummies. New York: Wiley, 2014.

 

PRET14 Pretz, K.“管理软件定义网络的五项技能”。IEEE 研究所,2014 年 12 月。

PRET14: Pretz, K. “Five Skills for Managing Software-Defined Networks.” IEEE The Institute, December 2014.

 

SHAR15 Sharma、S. 和 Coyne。B. DevOps 傻瓜书。新泽西州霍博肯:Wiley,2015。

SHAR15: Sharma, S., and Coyne. B. DevOps for Dummies. Hoboken, NJ: Wiley, 2015.

 

TECH14 TechPro 研究。IT 工作的未来:关键技能和过时的角色。TechPro 研究报告,2014 年 8 月。

TECH14: TechPro Research. The Future of IT Jobs: Critical Skills and Obsolescent Roles. TechPro Research Report, August 2014.

 

附录 A.参考文献

Appendix A. References

 

在这种事情上,每个人都觉得他拿起笔时想到的第一件事就是写出来并出版,这是理所当然的,并认为自己的想法就像二加二等于四一样是公理。如果批评家像我一样不厌其烦地连续多年思考这个主题,并根据实际的战争历史来检验每个结论,那么他们无疑会对自己所写的内容更加谨慎。

In matters of this kind, everyone feels he is justified in writing and publishing the first thing that comes into his head when he picks up a pen, and thinks his own idea as axiomatic as the fact that two and two make four. If critics would go to the trouble of thinking about the subject for years on end and testing each conclusion against the actual history of war, as I have done, they would undoubtedly be more careful of what they wrote.

 

—— 《论战争》,卡尔·冯·克劳塞维茨

On War, Carl von Clausewitz

 

缩写

 

图像 ACM:计算机协会

 

图像 IEEE:电气和电子工程师协会

 

图像 ITU-T:国际电信联盟——电信标准化部门

 

图像 NIST : 美国国家标准与技术研究所

 

图像 RFC:征求意见

 

Abbreviations

 

ACM: Association for Computing Machinery

 

IEEE: Institute of Electrical and Electronics Engineers

 

ITU-T: International Telecommunication Union—Telecommunication Standardization Sector

 

NIST: National Institute of Standards and Technology

 

RFC: Request For Comments

 
 

参考

References

 

AKAM15:阿卡迈技术。Akamai 的互联网状况。Akamai 报告,2014 年第四季度。2015年。

AKAM15: Akamai Technologies. Akamai’s State of the Internet. Akamai Report, Q4|2014. 2015.

 

BARI13: Bari, M.“PolicyCop:软件定义网络的自主 QoS 策略执行框架”,Proc。IEEE SDN4FNS'13,意大利特伦托,2013 年 11 月。

BARI13: Bari, M. “PolicyCop: An Autonomic QoS Policy Enforcement Framework for Software Defined Networks,” Proc. of IEEE SDN4FNS’13, Trento, Italy, Nov. 2013.

 

BENS11: Benson,T.,等人。“CloudNaaS:企业应用程序的云网络平台。” 会议记录,SOCC'11,2011年 10 月。

BENS11: Benson, T., et al. “CloudNaaS: A Cloud Networking Platform for Enterprise Applications.” Proceedings, SOCC’11, October 2011.

 

BORT13: Bort,J。“IT 证书会给你带来工作和加薪吗?调查显示是的。” 网络世界,2011 年 11 月 14 日。

BORT13: Bort, J. “Will IT certs get you jobs and raises? Survey says yes.” Network World, November 14, 2011.

 

CISC14a:思科系统。思科视觉网络指数:预测和方法,2013-2018。白皮书,2014 年。

CISC14a: Cisco Systems. Cisco Visual Networking Index: Forecast and Methodology, 2013–2018. White Paper, 2014.

 

CISC14b:思科系统。物联网参考模型。白皮书,2014 年。http ://www.iotwf.com/

CISC14b: Cisco Systems. The Internet of Things Reference Model. White paper, 2014. http://www.iotwf.com/.

 

CISC14c:思科系统。构建物联网。演示文稿,2014 年。http ://www.iotwf.com/

CISC14c: Cisco Systems. Building the Internet of Things. Presentation, 2014. http://www.iotwf.com/.

 

CISC15:思科系统。网络互联技术手册。2015 年 7 月。http ://docwiki.cisco.com/wiki/Internetworking_Technology_Handbook

CISC15: Cisco Systems. Internetworking Technology Handbook. July 2015. http://docwiki.cisco.com/wiki/Internetworking_Technology_Handbook.

 

CISC15a:思科系统。网络互联技术手册。2015 年 7 月。http ://docwiki.cisco.com/wiki/Internetworking_Technology_Handbook

CISC15a: Cisco Systems. Internetworking Technology Handbook. July 2015. http://docwiki.cisco.com/wiki/Internetworking_Technology_Handbook.

 

CISC15b:思科系统。思科物联网系统:部署、加速、创新。思科白皮书,2015 年。

CISC15b: Cisco Systems. Cisco IoT System: Deploy, Accelerate, Innovate. Cisco white paper, 2015.

 

CLAR98: Clark, D. 和 Fang, W.“尽力而为数据包传送服务的显式分配”。IEEE/ACM 网络交易,1998 年 8 月。

CLAR98: Clark, D., and Fang, W. “Explicit Allocation of Best-Effort Packet Delivery Service.” IEEE/ACM Transactions on Networking, August 1998.

 

COGE13:令人信服的通信。全球网络服务 SLA。2013 年 10 月。http ://www.cogentco.com

COGE13: Cogent Communications. Network Services SLA Global. October 2013. http://www.cogentco.com.

 

CSA11:云安全联盟。安全即服务 (SecaaS)。CSA 报告,2011 年。

CSA11: Cloud Security Alliance. Security as a Service (SecaaS). CSA Report, 2011.

 

CSA13:云安全联盟。2013 年臭名昭著的九个云计算主要威胁。CSA 报告,2013 年 2 月。

CSA13: Cloud Security Alliance. The Notorious Nine Cloud Computing Top Threats in 2013. CSA Report, February 2013.

 

DICE13:骰子。“为什么 DevOps 是云应用程序的 CPR。” Dice 特别报告,2013 年 11 月。

DICE13: Dice. “Why DevOps Is CPR for Cloud Applications.” Dice Special Report, November 2013.

 

DICE14:骰子。“DevOps 工程师的关键技能。” Dice 特别报告,2014 年 8 月。

DICE14: Dice. “Critical Skills for DevOps Engineers.” Dice Special Report, August 2014.

 

DICE15:骰子。“聚焦 DevOps。” 骰子特别报告,2015 年。

DICE15: Dice. “Spotlight on DevOps.” Dice Special Report, 2015.

 

ETSI14: ETSI TS 103 294 V1.1.1 语音和多媒体传输质量(STQ);体验质量;监控架构 (2014-12)。

ETSI14: ETSI TS 103 294 V1.1.1 Speech and Multimedia Transmission Quality (STQ); Quality of Experience; A Monitoring Architecture (2014-12).

 

FERG11: Ferguson, J. 和 Redish, A。“利用身体的导电特性与植入式医疗设备进行无线通信。” 医疗器械专家评审,卷。6,第 4 期,2011 年。http ://www.expert-reviews.com

FERG11: Ferguson, J., and Redish, A. “Wireless Communication with Implanted Medical Devices Using the Conductive Properties of the Body.” Expert Review of Medical Devices, Vol. 6, No. 4, 2011. http://www.expert-reviews.com.

 

FOST13: Foster, N.“软件定义网络的语言”。IEEE 通信杂志,2013 年 2 月。

FOST13: Foster, N. “Languages for Software-Defined Networks.” IEEE Communications Magazine, February 2013.

 

FRAH15: Frahim,J.,等人。确保物联网安全:拟议框架。思科白皮书,2015 年 3 月。

FRAH15: Frahim, J., et al. Securing the Internet of Things: A Proposed Framework. Cisco white paper, March 2015.

 

GUPT14: Gupta, D. 和 Jahan, R.保护物联网:提议的框架。塔塔咨询服务白皮书,2014 年。http ://www.tcs.com

GUPT14: Gupta, D., and Jahan, R. Securing the Internet of Things: A Proposed Framework. Tata Consultancy Services White Paper, 2014. http://www.tcs.com.

 

HALE14:Hales,J. SDN:它将如何影响您以及为什么您应该关心。全球知识白皮书,2014 年。

HALE14: Hales, J. SDN: How It Will Affect You and Why You Should Care. Global Knowledge white paper, 2014.

 

HAWI14:Hawilo,H.,等人。“NFV:下一代移动网络的最新技术、挑战和实施。” IEEE 网络,2014 年 11 月/12 月。

HAWI14: Hawilo, H., et al. “NFV: State of the Art, Challenges, and Implementation in Next Generation Mobile Networks.” IEEE Network, November/December 2014.

 

HOGG14:Hogg, S.“SDN 安全攻击向量和 SDN 强化”。网络世界,2014 年 10 月 28 日。

HOGG14: Hogg, S. “SDN Security Attack Vectors and SDN Hardening.” Network World, Oct 28, 2014.

 

HOSS13: Hossfeld,T. 等人。“YouTube 中的互联网视频传输:从流量测量到体验质量。” 书籍《数据流量监控和分析:从测量、分类和异常检测到体验质量》章节,计算机科学讲义,第 7754 卷,2013 年。

HOSS13: Hossfeld, T., et al. “Internet Video Delivery in YouTube: From Traffic Measurements to Quality of Experience.” Book chapter in Data Traffic Monitoring and Analysis: From Measurement, Classification, and Anomaly Detection to Quality of Experience, Lecture Notes in Computer Science, Volume 7754, 2013.

 

IBM11: IBM 研究,“我们每天都会创建 2.5 Quintillion 字节的数据。” 存储通讯,2011 年 10 月 21 日。http: //www.storagenewsletter.com/rubriques/market-reportsresearch/ibm-cmo-study/

IBM11: IBM Study, “Every Day We Create 2.5 Quintillion Bytes of Data.” Storage Newsletter, October 21, 2011. http://www.storagenewsletter.com/rubriques/market-reportsresearch/ibm-cmo-study/.

 

ISGN12: ISG NFV。网络功能虚拟化:简介、优势、推动因素、挑战和行动呼吁。ISG NFV 白皮书,2012 年 10 月。

ISGN12: ISG NFV. Network Functions Virtualization: An Introduction, Benefits, Enablers, Challenges & Call for Action. ISG NFV white paper, October 2012.

 

ITUT12: ITU-T。云计算焦点小组技术报告第3部分:云基础设施的需求和框架架构。FG 云 TR,2012 年 2 月。

ITUT12: ITU-T. Focus Group on Cloud Computing Technical Report Part 3: Requirements and Framework Architecture of Cloud Infrastructure. FG Cloud TR, February 2012.

 

KAND12: Kandula, A.、Sengupta, S. 和 Patel, P。“数据中心流量的本质:测量和分析”。ACM SIGCOMM 互联网测量会议,2009 年 11 月。

KAND12: Kandula, A., Sengupta, S., and Patel, P. “The Nature of Data Center Traffic: Measurements and Analysis.” ACM SIGCOMM Internet Measurement Conference, November 2009.

 

KETY10: Ketyko, I.、De Moor, K.、Joseph, W. 和 Martens, L.“在实际 3G 网络中执行 QoE 测量”,IEEE 国际宽带多媒体系统和广播研讨会,2010 年 3 月。

KETY10: Ketyko, I., De Moor, K., Joseph, W., and Martens, L. “Performing QoE-Measurements in an Actual 3G Network,” IEEE International Symposium on Broadband Multimedia Systems and Broadcasting, March 2010.

 

KHAN09: Khan, A.、Sun, L. 和 Ifeachor, E。“无线网络上 MPEG4 视频流的基于内容聚类的视频质量预测模型”,IEEE 国际通信会议,2009 年。

KHAN09: Khan, A., Sun, L., and Ifeachor, E. “Content Clustering Based Video Quality Prediction Model for MPEG4 Video Streaming over Wireless Networks,” IEEE International Conference on Communications, 2009.

 

KHAN15: Khan, F. NFV 管理和编排 (MANO) 初学者指南。电信灯塔。2015 年 4 月 9 日。http ://www.telecomlighthouse.com

KHAN15: Khan, F. A Beginner’s Guide to NFV Management & Orchestration (MANO). Telecom Lighthouse. April 9, 2015. http://www.telecomlighthouse.com.

 

KIM14: Kim, H. 和 Choi, S。“使用 QoS 参数的多媒体流服务的 QoE 评估模型”,多媒体工具和应用程序,2014 年 10 月。

KIM14: Kim, H., and Choi, S. “QoE Assessment Model for Multimedia Streaming Services Using QoS Parameters,” Multimedia Tools and Applications, October 2014.

 

KRAK09: Krakowiak,S。具有模式和框架的中间件架构。2009。http: //sardes.inrialpes.fr/%7Ekrakowia/MW-Book/

KRAK09: Krakowiak, S. Middleware Architecture with Patterns and Frameworks. 2009. http://sardes.inrialpes.fr/%7Ekrakowia/MW-Book/.

 

KREU15: Kreutz,D.,等人。“软件定义网络:全面调查。” IEEE 会议录,2015 年 1 月。

KREU15: Kreutz, D., et al. “Software-Defined Networking: A Comprehensive Survey.” Proceedings of the IEEE, January 2015.

 

KUIP10: Kuipers,F. 等人。“体验质量测量技术”,第八届有线/无线互联网通信国际会议,2010 年。

KUIP10: Kuipers, F. et al. “Techniques for Measuring Quality of Experience,” 8th International Conference on Wired/Wireless Internet Communications, 2010.

 

KUMA13: Kumar, R。软件定义网络 - 权威指南。Smashwords.com,2013 年。

KUMA13: Kumar, R. Software Defined Networking—a Definitive Guide. Smashwords.com, 2013.

 

MA14: Ma, H.、Seo, B. 和 Zimmermann, R。“云环境中 MPEG DASH 视频转码的动态调度”,第五届 ACM 多媒体系统会议论文集,2014 年 3 月。

MA14: Ma, H., Seo, B., and Zimmermann, R. “Dynamic Scheduling on Video Transcoding for MPEG DASH in the Cloud Environment,” Proceedings of the 5th ACM Multimedia Systems Conference, March 2014.

 

MACV15:MacVitie, L.“网络工程师:不要害怕代码。” 信息周刊,2015 年 3 月 2 日。

MACV15: MacVitie, L. “Network Engineers: Don’t Fear the Code.” Information Week, March 2, 2015.

 

MARS06: Marsh, I.、Grönvall, B. 和 Hammer, F。“基于质量的切换触发器的设计和实现”,第五届国际 IFIP-TC6 网络会议,葡萄牙科英布拉。

MARS06: Marsh, I., Grönvall, B., and Hammer, F. “The Design and Implementation of a Quality-Based Handover Trigger,” 5th International IFIP-TC6 Networking Conference, Coimbra, Portugal.

 

MCEW13: McEwen, A. 和 Cassimally, H.设计物联网。纽约:威利,2013。

MCEW13: McEwen, A., and Cassimally, H. Designing the Internet of Things. New York: Wiley, 2013.

 

MCMU14: McMullin,M。“SDN 来自火星,NFV 来自金星。” Kemp Technologies 博客,2014 年 11 月 20 日。http ://kemptechnologies.com/blog/sdn-mars-nfv-venus

MCMU14: McMullin, M. “SDN is from Mars, NFV is from Venus.” Kemp Technologies Blog, November 20, 2014. http://kemptechnologies.com/blog/sdn-mars-nfv-venus.

 

METZ14a: Metzler, J。2015年 SDN 和 NFV 指南。网络期刊,2014 年 12 月。

METZ14a: Metzler, J. The 2015 Guide to SDN and NFV. Webtorials, December 2014.

 

METZ14b:Metzler, J. IT 和网络专业人员的角色变化。网络期刊,2014 年 7 月。

METZ14b: Metzler, J. The Changing Role of the IT & Network Professional. Webtorials, July 2014.

 

MICR15:微软。企业 DevOps。微软白皮书,2015 年。

MICR15: Microsoft. Enterprise DevOps. Microsoft white paper, 2015.

 

MINI14:Minick, E.、Rezabek, J. 和 Ring, C.应用程序发布和部署傻瓜书。纽约:威利,2014。

MINI14: Minick, E., Rezabek, J., and Ring, C. Application Release and Deployment for Dummies. New York: Wiley, 2014.

 

MOLL12: Moller, S.、Callet, P. 和 Perkis, A。“关于体验质量定义的 Qualinet 白皮书”,欧洲多媒体系统和服务体验质量网络(COST Action IC 1003)(2012 年)。

MOLL12: Moller, S., Callet, P., and Perkis, A. “Qualinet White Paper on Definitions on Quality of Experienced,” European Network on Quality of Experience in Multimedia Systems and Services (COST Action IC 1003) (2012).

 

MURP07:墨菲,L. 等人。“基于应用程序质量的移动性管理方案”,第九届 IFIP/IEEE 移动和无线通信网络国际会议论文集,2007 年。

MURP07: Murphy, L. et al. “An Application-Quality-Based Mobility Management Scheme,” Proceedings of 9th IFIP/IEEE International Conference on Mobile and Wireless Communications Networks, 2007.

 

NAKI15:纳基纳系统。在服务提供商 NFV 环境中实现安全完整性。Nakina 系统白皮书,2015 年。

NAKI15: Nakina Systems. Achieving Security Integrity in Service Provider NFV Environments. Nakina Systems white paper, 2015.

 

NETW14:网络世界。大数据对网络性能影响的生存技巧。白皮书。2014 年 4 月。

NETW14: Network World. Survival Tips for Big Data’s Impact on Network Performance. White paper. April 2014.

 

NGUY13: Nguyen,X.,等人。“使用 OpenFlow 在以内容为中心的网络中进行高效缓存”,2013 年 IEEE 计算机通信研讨会研讨会 (INFOCOM WKSHPS),2013 年。

NGUY13: Nguyen, X., et al. “Efficient Caching in Content-Centric Networks using OpenFlow,” 2013 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), 2013.

 

NGUY14: Nguyen, X.、Saucez, D 和 Thierry, T。“通过 OpenFlow 交换机提供 CCN 功能”,hal-00920554,2013 年。https: //hal.inria.fr/hal-00920554/

NGUY14: Nguyen, X., Saucez, D,, and Thierry, T. “Providing CCN Functionalities over OpenFlow Switches,” hal-00920554, 2013. https://hal.inria.fr/hal-00920554/.

 

ODCA14:开放数据中心联盟。开放数据中心联盟主要使用模型:软件定义网络修订版 2.0。白皮书。2014年。

ODCA14: Open Data Center Alliance. Open Data Center Alliance Master Usage Model: Software-Defined Networking Rev. 2.0. White Paper. 2014.

 

ONF12:开放网络基金会。软件定义网络:网络新规范。ONF 白皮书,2012 年 4 月 13 日。

ONF12: Open Networking Foundation. Software-Defined Networking: The New Norm for Networks. ONF White Paper, April 13, 2012.

 

ONF14:开放网络基金会。支持 OpenFlow 的 SDN 和网络功能虚拟化。ONF 白皮书,2014 年 2 月 17 日。

ONF14: Open Networking Foundation. OpenFlow-Enabled SDN and Network Functions Virtualization. ONF white paper, February 17, 2014.

 

POTT14: Pott, T。“SDI 战争:软件定义中心基础设施是什么鬼?” 《登记册》,2014 年 10 月 17 日。http ://www.theregister.co.uk/2014/10/17/sdi_wars_what_is_software_define_infrastruct/

POTT14: Pott, T. “SDI Wars: WTF Is Software Defined Center Infrastructure?” The Register, October 17, 2014. http://www.theregister.co.uk/2014/10/17/sdi_wars_what_is_software_defined_infrastructure/.

 

PRET14:Pretz, K.“管理软件定义网络的五项技能”。IEEE 研究所,2014 年 12 月。

PRET14: Pretz, K. “Five Skills for Managing Software-Defined Networks.” IEEE The Institute, December 2014.

 

QUIN12: MRQuintero, M. 和 Raake, A。“在评估质量时考虑受试者的知识和专业知识程度是否足够?” 第四届多媒体体验质量国际研讨会 (QoMEX),第 194,199 页,2012 年 7 月 5-7 日。

QUIN12: M.R.Quintero, M., and Raake, A. “Is Taking into Account the Subjects’ Degree of Knowledge and Expertise Enough When Rating Quality?” Fourth International Workshop on Quality of Multimedia Experience (QoMEX), pp.194,199, 5–7 July 2012.

 

SCHE13: Scherz, P. 和 Monk, S.发明家实用电子学。纽约:麦格劳-希尔,2013 年。

SCHE13: Scherz, P., and Monk, S. Practical Electronics for Inventors. New York: McGraw-Hill, 2013.

 

SCHN14: Schneier, B.“物联网非常不安全,而且通常无法修补。” 《连线》,2014 年 1 月 6 日。

SCHN14: Schneier, B. “The Internet of Things is Wildly Insecure—and Often Unpatchable.” Wired, January 6, 2014.

 

SDNC14: SDN 中心。SDNCentral 网络虚拟化报告,2014 年版,2014 年。

SDNC14: SDNCentral. SDNCentral Network Virtualization Report, 2014 Edition, 2014.

 

SEGH12: Seghal,A. 等人。“物联网中资源受限设备的管理。” IEEE 通信杂志,2012 年 12 月。

SEGH12: Seghal, A., et al. “Management of Resource Constrained Devices in the Internet of Things.” IEEE Communications Magazine, December 2012.

 

SHAR15:Sharma、S. 和 Coyne。B. DevOps 傻瓜书。新泽西州霍博肯:Wiley,2015。

SHAR15: Sharma, S., and Coyne. B. DevOps for Dummies. Hoboken, NJ: Wiley, 2015.

 

SHEN11:Schenker, S.“网络的未来和协议的过去”,2011 年 10 月。视频:http://www.youtube.com/watch ?v=YHeyuD89n1Y ;幻灯片:http://www.slideshare.net/martin_casado/sdn-abstractions

SHEN11: Schenker, S. “The Future of Networking, and the Past of Protocols,” October 2011.Video: http://www.youtube.com/watch?v=YHeyuD89n1Y; Slides: http://www.slideshare.net/martin_casado/sdn-abstractions.

 

STAL15a: Stallings, W. 和 Brown, L.计算机安全:原理与实践。新泽西州恩格尔伍德悬崖:皮尔逊,2015。

STAL15a: Stallings, W., and Brown, L. Computer Security: Principles and Practice. Englewood Cliffs, NJ: Pearson, 2015.

 

STAL15b: Stallings,W.密码学和网络安全。新泽西州恩格尔伍德悬崖:皮尔逊,2015。

STAL15b: Stallings, W. Cryptography and Network Security. Englewood Cliffs, NJ: Pearson, 2015.

 

STAN14:斯坦科维奇,J.“物联网的研究方向”。物联网杂志,卷。1,2014年第1期。

STAN14: Stankovic, J. “Research Directions for the Internet of Things.” Internet of Things Journal, Vol. 1, No. 1, 2014.

 

SZIG14: Szigeti, T.、Hattingh, C.、Barton, R. 和 Briley, K。端到端 QoS 网络设计:富媒体和云网络的服务质量。新泽西州恩格尔伍德悬崖:皮尔逊。2014年。

SZIG14: Szigeti, T., Hattingh, C., Barton, R., and Briley, K. End-to-End QoS Network Design: Quality of Service for Rich-Media & Cloud Networks. Englewood Cliffs, NJ: Pearson. 2014.

 

TECH14: TechPro 研究。IT 工作的未来:关键技能和过时的角色。TechPro 研究报告,2014 年 8 月。

TECH14: TechPro Research. The Future of IT Jobs: Critical Skills and Obsolescent Roles. TechPro Research Report, August 2014.

 

VAQU14: Vaquero, L. 和 Rodero-Merino, L.“在雾中寻找出路:迈向雾计算的全面定义”。ACM SIGCOMM 计算机通信评论,2014 年 10 月。

VAQU14: Vaquero, L., and Rodero-Merino, L. “Finding Your Way in the Fog: Towards a Comprehensive Definition of Fog Computing.” ACM SIGCOMM Computer Communication Review, October 2014.

 

WANG12:王,G.;吴,E。和 Shikh, A.“在运行时对大数据应用程序的网络进行编程。” 会议记录,HotSDN'12。2012 年 8 月 13 日。

WANG12: Wang, G.; Ng, E.; and Shikh, A. “Programming Your Network at Run-Time for Big Data Applications.” Proceedings, HotSDN’12. August 13, 2012.

 

XI11: Xi,H。“光传输网络中核心节点和聚合节点的带宽需求”。IEEE 802.3 行业连接以太网带宽评估会议,2011 年 11 月 8 日。http: //www.ieee802.org/3/ad_hoc/bwa/public/nov11/index_1108.html

XI11: Xi, H. “Bandwidth Needs in Core and Aggregation Nodes in the Optical Transport Network.” IEEE 802.3 Industry Connections Ethernet Bandwidth Assessment Meeting, November 8, 2011. http://www.ieee802.org/3/ad_hoc/bwa/public/nov11/index_1108.html.

 

词汇表

Glossary

 

在研究帝国、阿拉吉斯以及产生莫迪布的整个文化时,会出现许多陌生的术语。增加理解是一个值得称赞的目标,因此下面给出了定义和解释。

In studying the Imperium, Arrakis, and the whole culture which produced Maud’Dib, many unfamiliar terms occur. To increase understanding is a laudable goal, hence the definitions and explanations given below.

 

—弗兰克·赫伯特·沙丘

Dune, Frank Herbert

 

3G:第三代无线蜂窝通信技术。旨在提供相当高速的无线通信,以支持多媒体、数据和视频以及语音。目标数据速率为 144 和 384 kbps。一些 3G 系统还支持高达 2 Mbps 的办公用途。

3G: Third-generation wireless cellular communications technology. Designed to provide fairly high-speed wireless communications to support multimedia, data, and video in addition to voice. Target data rates are 144 and 384 kbps. Some 3G systems also provide support up to 2 Mbps for office use.

 

4G:第四代无线蜂窝通信技术。基于全IP分组交换网络。对于高移动性移动访问,支持高达约 100 Mbps 的峰值数据速率;对于本地无线访问等低移动性访问,支持高达约 1 Gbps 的峰值数据速率。

4G: Fourth generation wireless cellular communications technology. Based on all-IP packet switched network. Support peak data rates of up to approximately 100 Mbps for high-mobility mobile access and up to approximately 1 Gbps for low-mobility access such as local wireless access.

 

5G:预计的第五代无线蜂窝通信技术。5G 的重点将是在网络中构建更多智能,通过动态使用优先级、自适应网络重新配置和其他网络管理技术来满足服务质量需求。

5G: Projected fifth-generation wireless cellular communications technology. The focus for 5G will be on building more intelligence into the network, to meet service quality demands by dynamic use of priorities, adaptive network reconfiguration, and other network management techniques.

 

接入网络:直接连接到最终用户或客户的网络。

access network: A network that connects directly to the end user or customer.

 

准确度:测量结果与测量真实值之间的一致性程度。它可以表示为对正确性或无错误性的定性评估,或对预期错误程度的定量测量。

accuracy: The closeness of agreement between the result of a measurement and the true value of the measure. It can be expressed as a qualitative assessment of correctness, or freedom from error, or a quantitative measure of the expected magnitude of error.

 

执行器:接受电信号并将其转换为物理、化学或生物动作的装置。

actuator: A device that accepts an electrical signal and converts it into a physical, chemical, or biological action.

 

分析:对大量数据进行分析,尤其侧重于决策制定。

analytics: Analysis of massive amounts of data, particularly with a focus on decision making.

 

应用程序生命周期管理:应用程序从启动到终止的管理和控制。它包含需求管理、系统设计、软件开发和配置管理,并且意味着用于开发和控制项目的一套集成工具。

application lifecycle management: The administration and control of an application from inception to its demise. It embraces requirements management, system design, software development, and configuration management, and it implies an integrated set of tools for developing and controlling the project.

 

应用程序编程接口 (API):应用程序用来与操作系统或某些其他控制程序(例如数据库管理系统 (DBMS) 或通信协议)进行通信的语言和消息格式。API是通过编写函数来实现的程序中的调用,提供执行所需子例程的链接。开放或标准化的API可以确保应用程序代码的可移植性和被调用服务的供应商独立性。

application programming interface (API): A language and message format used by an application program to communicate with the operating system or some other control program such as a database management system (DBMS) or communications protocol. APIs are implemented by writing function calls in the program, which provide the linkage to the required subroutine for execution. An open or standardized API can ensure the portability of the application code and the vendor independence of the called service.

 

应用程序提供商:生成/销售要在用户平台上执行的用户应用程序的实体。

application provider: An entity generating/selling user applications to be executed on the user’s platform.

 

应用程序服务提供商:在自己的设施内托管软件应用程序的组织。它提供可通过网络访问的应用程序,例如电子邮件、Web 托管、银行和基于云的服务。

application service provider: An organization that hosts software applications within its own facilities. It provides network-accessible applications such as e-mail, web hosting, banking, and cloud-based services.

 

攻击面:系统中可到达和可利用的漏洞。

attack surface: The reachable and exploitable vulnerabilities in a system.

 

攻击向量:对计算机系统或网络的攻击方法或类型。

attack vector: The method or type of attack on a computer system or network.

 

自治系统 (AS):由个人、团体或组织控制的一组管理规则进行管理的网络。尽管可以使用多种协议,但自治系统通常仅使用一种路由协议。互联网的核心是由许多自治系统组成。

autonomous system (AS): A network that is administered by a single set of management rules that are controlled by one person, group or organization. Autonomous systems often use only one routing protocol, although multiple protocols can be used. The core of the Internet is made up of many autonomous systems.

 

骨干网:与核心网相同。

backbone network: Same as core network.

 

尽力而为:一种网络或互联网传输技术,不保证数据传输并平等对待所有数据包。所有数据包均按照先到先得的原则转发。不提供基于优先级或其他问题的优惠待遇。

best effort: A network or Internet delivery technique that does not guarantee delivery of data and treats all packets equally. All packets are forwarded on a first-come, first-served basis. Preferential treatment based on priority or other concerns is not provided.

 

大数据:数据规模如此之大,标准数据分析和管理工具已不足以满足需要。更广泛地说,大数据是指通过网络涌入处理器和存储设备的结构化和非结构化数据的数量、种类和速度,以及将这些数据转换为企业的业务建议。

big data: A collection of data on such a large scale that standard data analysis and management tools are not adequate. More broadly, big data refers to the volume, variety and velocity of structured and unstructured data pouring through networks into processors and storage devices, along with the conversion of such data into business advice for enterprises.

 

刀片服务器:在单个机箱中容纳多个服务器模块(刀片)的服务器架构。广泛应用于数据中心,以节省空间并改善系统管理。无论是自立式还是机架式,机箱提供电源,每个刀片都有自己的CPU、内存和硬盘。

blade server: A server architecture that houses multiple server modules (blades) in a single chassis. It is widely used in data centers to save space and improve system management. Either self-standing or rack mounted, the chassis provides the power supply, and each blade has its own CPU, memory, and hard disk.

 

广播:网络上或网络域内的所有主机都能识别的地址。通过广播寻址,每个交换机使用一个传输流,此时数据通过单独的线路分发给最终用户。

broadcast: An address recognized by all hosts on a network or within a network domain. With broadcast addressing, one transmission stream is used to each switch, at which point data are distributed out to the end users on separate lines.

 

业务支持系统 (BSS):支持面向客户的活动的软件应用程序。计费、订单管理、客户关系管理和呼叫中心自动化都是 BSS 应用程序。BSS 还可能包含面向客户的 OSS 应用程序,例如故障单和服务保证;这些是后台活动,但通过与客户联系直接启动。

business support system (BSS): Software applications that support customer-facing activities. Billing, order management, customer relationship management and call center automation are all BSS applications. BSS may also encompass the customer-facing veneer of OSS application such as trouble-ticketing and service assurance; these are back-office activities but initiated directly by contact with the customer.

 

资本支出 (CapEx):为创造未来效益而发生的业务支出。当企业花钱购买固定资产或增加使用寿命超出纳税年度的现有资产的价值时,就会产生资本支出。

capital expenditure (CapEx): A business expense incurred to create future benefits. A CapEx is incurred when a business spends money either to buy fixed assets or to add to the value of an existing asset with a useful life that extends beyond the tax year.

 

客户端/服务器:分布式系统的一种常见形式,其中软件分为服务器任务和客户端任务。客户端根据某种协议向服务器发送请求,请求信息或操作,然后服务器做出响应。

client/server: A common form of distributed system in which software is split between server tasks and client tasks. A client sends requests to a server, according to some protocol, asking for information or action, and the server responds.

 

云计算:一个松散定义的术语,指的是通过互联网(通常通过网络浏览器)提供处理能力、存储、软件或其他计算服务访问的任何系统。通常,这些服务是从托管和管理它们的外部公司租用的。

cloud computing: A loosely defined term for any system providing access via the Internet to processing power, storage, software or other computing services, often via a web browser. Often, these services are rented from an external company that hosts and manages them.

 

商业现货 (COTS):可在市场上购买、租赁、许可或出售给公众的物品,并且在产品的生命周期内无需进行特殊修改或维护即可满足采购机构的需求。

commercial off-the-shelf (COTS): Item that is commercially available, leased, licensed, or sold to the general public and that requires no special modification or maintenance over the lifecycle of the product to meet the needs of the procuring agency.

 

通信即服务(CaaS):通过云计算提供的服务,其中向云服务客户提供的功能是实时交互和协作。

Communication as a Service (CaaS): A service offered via cloud computing in which the capability provided to the cloud service customer is real time interaction and collaboration.

 

拥塞:网络没有足够容量来支持当前流量负载的状况。

congestion: The condition of a network when there is not enough capacity to support the current traffic load.

 

拥塞控制:缓解或避免拥塞的协议机制。

congestion control: Protocol mechanisms for relieving or avoiding congestion.

 

财团:因共同利益而联合起来的一组独立组织。在标准制定领域,联盟通常由关注特定技术领域的个体公司和贸易团体组成。

consortium: A group of independent organizations joined by common interests. In the area of standards development, a consortium typically consists of individual corporations and trade groups concerned with a specific area of technology.

 

受限设备:在物联网中,具有有限的易失性和非易失性内存、有限的处理能力和低数据速率收发器的设备。

constrained device: In an IoT, a device with limited volatile and nonvolatile memory, limited processing power, and a low-data-rate transceiver.

 

容器:为软件提供执行环境的硬件或软件。

container: Hardware or software that provides an execution environment for software.

 

容器虚拟化:一种将应用程序的底层操作环境虚拟化的技术。这通常是操作系统内核,结果是应用程序可以在其中运行的隔离容器。

container virtualization: A technique where the underlying operating environment of an application is virtualized. This will commonly be the operating system kernel, and the result is an isolated container in which the application can run.

 

内容提供商:创建信息的组织或个人,包括通过互联网或企业网络分发的教育或娱乐内容。内容提供商可能会也可能不会提供用于访问材料的软件。

content provider: An organization or individual that creates information, including educational or entertainment content distributed via the Internet or enterprise networks. A content provider may or may not provide the software used to access the material.

 

核心网络:为附属的分配网络和接入网络提供网络服务的中央网络。也称为骨干网络。

core network: A central network that provides networking services to attached distribution and access networks. Also referred to as a backbone network.

 

核心路由器:位于网络中间而不是外围的路由器。构成互联网骨干的路由器是核心路由器。

core router: A router that resides within the middle of the network rather than at its periphery. The routers that make up the backbone of the Internet are core routers.

 

横截面带宽:对于网络来说,这是在将网络分成相等的两半时可以在网络的两个部分之间传递的最大双向数据速率。也称为二分带宽

cross-section bandwidth: For a network, this is the maximum bidirectional data rate that can pass between two parts of the network if it is divided into two equal halves. Also referred to as bisection bandwidth.

 

重复数据删除:消除冗余数据。它包括 (1) 通过仅存储数据更改来压缩数据,以及 (2) 用指向单个副本的指针替换数据块或文件的重复副本。

data deduplication: The elimination of redundant data. It includes (1) compressing data by only storing changes to data, and (2) replacing duplicate copies of chunks of data or files with pointers to a single copy.

 

数据报:独立于其他数据包进行数据包交换处理的数据包。数据报携带足以从源路由到目的地的信息,而无需在端点之间建立逻辑连接。

datagram: A packet that is treated independently of other packets for packet switching. A datagram carries information sufficient for routing from the source to the destination without the necessity of establishing a logical connection between the endpoints.

 

深度数据包检查:分析网络流量以发现发送数据的应用程序类型。为了确定流量的优先级或过滤掉不需要的数据,深度数据包检测可以区分数据,例如视频、音频、聊天、IP 语音 (VoIP)、电子邮件和 Web。检查数据包一直到应用层,它可用于分析数据包中未加密的任何内容。例如,它不仅可以确定数据包包含网页内容,还可以确定该页面来自哪个网站。

deep packet inspection: Analyzing network traffic to discover the type of application that sent the data. In order to prioritize traffic or filter out unwanted data, deep packet inspection can differentiate data, such as video, audio, chat, Voice over IP (VoIP), e-mail, and web. Inspecting the packets all the way up to the application layer, it can be used to analyze anything within the packet that is not encrypted. For example, it can determine not only that the packets contain the contents of a web page but also which website the page is from.

 

延迟抖动:与两点之间数据包传输相关的延迟变化。通常测量为单个会话中数据包所经历的延迟的最大变化。

delay jitter: The variation in delay associated with the transfer of packets between two points. Typically measured as the maximum variation in delay experienced by packets in a single session.

 

拒绝服务 (DoS):防止对资源的授权访问或延迟时间关键的操作。

denial of service (DoS): The prevention of authorized access to resources or the delaying of time-critical operations.

 

DevOps(开发运营):应用程序开发人员与测试和部署应用程序的 IT 部门之间更紧密的集成。DevOps 被认为是软件工程、质量保证和运营的交叉点。

DevOps (development operations): The tighter integration between the developers of applications and the IT department that tests and deploys them. DevOps is said to be the intersection of software engineering, quality assurance, and operations.

 

差异化服务:互联网和专用互联网中支持一组用户的特定 QoS 要求的功能,所有用户在 IP 数据包中使用相同的服务标签。

differentiated services: Functionality in the Internet and private internets to support specific QoS requirements for a group of users, all of whom use the same service label in IP packets.

 

差异化服务代码点 (DSCP): IP 标头中的 6 位字段,用于对差异化服务的数据包进行分类(QoS 流量管理的一种形式)。

differentiated services codepoint (DSCP): A 6-bit field in the IP header that is used to classify packets for differentiated services (a form of QoS traffic management).

 

分布式拒绝服务 (DDoS):使用多个系统向服务器、网络设备或链路发送大量流量,试图淹没其可用资源(带宽、内存、处理能力等),从而使其无法使用的攻击。响应合法用户。

distributed denial of service (DDoS): An attack when multiple systems are used to flood servers or network devices or links with traffic in an attempt to overwhelm its available resources (bandwidth, memory, processing power, and so on), making it unavailable to respond to legitimate users.

 

分配网络:将接入网络连接到核心网络。

distribution network: Connects access networks to a core network.

 

边缘路由器:位于网络外围的路由器。也称为接入路由器聚合路由器

edge router: A router that sits at the periphery of a network. Also called an access router or aggregation router.

 

弹性流量:能够容忍延迟、抖动和吞吐量变化的网络流量。通常通过 TCP 或 UDP 承载。

elastic traffic: Network traffic that is tolerant to variations in delay, jitter, and throughput. Typically carried over TCP or UDP.

 

嵌入式系统:任何包含计算机芯片的设备,但不是通用工作站、台式机或笔记本电脑。

embedded system: Any device that includes a computer chip, but that is not a general-purpose workstation, desktop or laptop computer.

 

电子产品代码 (EPC): RFID 标签的标准代码。EPC 的范围为 64 至 256 位,至少包含产品编号、序列号、公司 ID 和 EPC 版本。多个机构参与了标准的制定,包括 GS1 和 EPCglobal。

electronic product code (EPC): A standard code for RFID tags. The EPC ranges from 64 to 256 bits and contains, at minimum, the product number, serial number, company ID and EPC version. Several bodies are involved in developing standards, including GS1 and EPCglobal.

 

最终用户:计算平台上应用程序、数据和服务的最终消费者。

end user: The ultimate consumer of applications, data and services on a computing platform.

 

以太网:有线局域网技术的商业名称。它涉及共享物理介质的使用、介质访问控制协议以及数据包的传输。以太网产品标准由 IEEE 802.3 委员会定义。

Ethernet: The commercial name for a wired local-area network technology. It involves the use of a shared physical medium, a medium access control protocol, and transmission of data in packets. Standards for Ethernet products are defined by the IEEE 802.3 committee.

 

外部路由器协议 (ERP):一种将路由信息分发到连接自治系统的协作路由器的协议。BGP 是 ERP 的一个示例。历史上,称为外部网关协议。

exterior router protocol (ERP): A protocol that distributes routing information to collaborating routers that connect autonomous systems. BGP is an example of an ERP. Historically, referred to as an exterior gateway protocol.

 

流:源和目的地之间的数据包序列,网络将其识别为相关并以统一方式处理。

flow: A sequence of packets between a source and destination that are recognized by the network as related and are treated in a uniform fashion.

 

雾计算:大量异构、分散的设备相互通信以及与网络通信以执行存储和处理任务而无需第三方干预的场景。

fog computing: A scenario in which a massive number of heterogeneous, decentralized devices communicate with each other and with the network to perform storage and processing tasks without the intervention of third parties.

 

硬件虚拟化:使用软件将计算机资源划分为单独且隔离的实体(称为虚拟机)。它允许相同或不同操作系统的多个副本在计算机上执行,并防止来自不同虚拟机的应用程序相互干扰。

hardware virtualization: The use of software to partition a computer’s resources into separate and isolated entities called virtual machines. It enables multiple copies of the same or different operating systems to execute on the computer and prevents applications from different virtual machines from interfering with each other.

 

高可用性 (HA) 集群:由冗余网络节点组成的多计算机架构,当主服务出现故障时,这些节点可提供辅助或备份服务。此类集群在其计算环境中构建冗余以消除单点故障,并且它们可以合并多个网络连接、冗余数据存储卷、双倍电源以及其他备份组件和功能。

high-availability (HA) cluster: A multiple-computer architecture consisting of redundant network nodes that deliver a secondary or backup service when the primary service fails. Such clusters build redundancy into their computing environments to eliminate single points of failure, and they can incorporate multiple network connections, redundant data storage volumes, doubled-up power supplies, and other backup components and capabilities.

 

虚拟机管理程序自省:出于安全目的,虚拟机管理程序能够在每个来宾操作系统或虚拟机运行时对其进行监控。

hypervisor introspection: The hypervisor capability to monitor each guest OS or virtual machine as it is running, for security purposes.

 

IEEE 802:电气和电子工程师协会 (IEEE) 的一个委员会,负责制定局域网和城域网(LAN 和 MAN)标准。

IEEE 802: A committee of the Institute of Electrical and Electronics Engineers (IEEE) responsible for developing standards for local- and metropolitan-area networks (LANs and MANs).

 

IEEE 802.1: IEEE 802 工作组,负责制定以下领域的标准:802 LAN/MAN 架构、802 LAN、MAN 和其他广域网之间的互联、802 安全、802 整体网络管理。

IEEE 802.1: An IEEE 802 working group responsible for developing standards in the following areas: 802 LAN/MAN architecture, internetworking among 802 LANs, MANs and other wide-area networks, 802 Security, 802 overall network management.

 

IEEE 802.3: IEEE 802 工作组,负责制定以太网局域网 (LAN) 标准。

IEEE 802.3: An IEEE 802 working group responsible for developing standards for Ethernet local-area networks (LANs).

 

非弹性流量:相对不能容忍延迟、抖动和吞吐量变化的网络流量。实时流量是非弹性流量的一个例子。

inelastic traffic: Network traffic that is relatively intolerant to variations in delay, jitter, and throughput. Real-time traffic is an example of inelastic traffic.

 

信息技术 (IT):整个信息处理技术的通用术语,包括软件、硬件、通信技术和相关服务。一般来说,IT 不包括不生成供企业使用的数据的嵌入式技术。

information technology (IT): The common term for the entire spectrum of technologies for information processing, including software, hardware, communications technologies, and related services. In general, IT does not include embedded technologies that do not generate data for enterprise use.

 

基础设施即服务 (IaaS):通过云计算提供的一组功能,云服务客户可以在其中配置和使用处理、存储或网络资源。

Infrastructure as a Service (IaaS): A group of capabilities offered via cloud computing in which the cloud service customer can provision and use processing, storage, or networking resources.

 

内部路由器协议 (IRP):将路由信息分发到自治系统内的协作路由器的协议。RIP 和 OSPF 是 IRP 的示例。历史上,称为内部网关协议。

interior router protocol (IRP): A protocol that distributes routing information to collaborating routers within an autonomous system. RIP and OSPF are examples of IRPs. Historically, referred to as an interior gateway protocol.

 

互联网:基于 TCP/IP 的全球互联网络,将数千个公共和专用网络以及数百万用户互连起来。

Internet: A worldwide internetwork based on TCP/IP that interconnects thousands of public and private networks and millions of users.

 

互联网(小写“i”):由许多较小网络组成的大型网络。也称为互联网络

internet (with lower case “i”): A large network made up of a number of smaller networks. Also referred to as an internetwork.

 

物联网 (IoT):不断扩大的连接性,特别是通过各种传感器、执行器和其他嵌入式系统的互联网。几乎在所有情况下,都没有人类用户,交互完全自动化。

Internet of Things (IoT): The expanding connectivity, particularly via the Internet of a wide range of sensors, actuators, and other embedded systems. In almost all cases, there is no human user, with interaction fully automated.

 

互联网协议 (IP):在主机和路由器中执行以互连多个独立网络的标准化协议。

Internet Protocol (IP): A standardized protocol that executes in hosts and routers to interconnect a number of independent networks.

 

IP 安全 (IPsec):通过对数据流中的每个 IP 数据包进行身份验证和/或加密来保护网络层 IP 通信安全的协议套件。IPsec 还包括用于加密密钥管理的协议。

IP security (IPsec): Suite of protocols for securing IP communications at the network layer by authenticating and/or encrypting each IP packet in a data stream. IPsec also includes protocols for cryptographic key management.

 

LAN 交换机:一种数据包转发网络设备,用于 (1) 将本地区域中的终端系统互连以形成局域网 (LAN) 网段,(2) 与其他 LAN 交换机连接以形成更大的 LAN,以及 (3)提供与路由器和其他网络设备的连接以实现广域网连接。

LAN switch: A packet-forwarding network device for (1) interconnecting end systems in a local area to form a local-area network (LAN) segment, (2) connecting with other LAN switches to for a larger LAN, and (3) providing connection to routers and other network devices for wide-area network connectivity.

 

第 3 层 (L3) 交换机:用于网络路由的高性能设备。三层交换机与路由器非常相似。L3 交换机和路由器之间的主要区别在于,L3 交换机用硬件取代了路由器的一些软件逻辑,以提供更好的性能。L3 交换机的成本通常低于传统路由器。专为在本地网络中使用而设计,第 3 层交换机通常不具备传统路由器所具有的 WAN 端口和广域网功能。

Layer 3 (L3) switch: A high-performance device for network routing. Layer 3 switches are very similar to routers. The key difference between L3 switches and routers is that a L3 switch replaces some of a router’s software logic with hardware to offer better performance. L3 switches often cost less than traditional routers. Designed for use within local networks, a Layer 3 switch will typically not possess the WAN ports and wide-area network features a traditional router has.

 

媒体访问控制 (MAC) 帧::一组位,包括源地址和目标地址以及其他协议控制信息以及可选的数据。它是以太网和 Wi-Fi LAN 上传输的基本单位。

media access control (MAC) frame: : A group of bits that includes source and destination addresses and other protocol control information plus, optionally, data. It is the basic unit of transmission on Ethernet and Wi-Fi LANs.

 

微控制器:包含处理器、用于程序的非易失性存储器(ROM 或闪存)、用于输入和输出的易失性存储器 (RAM)、时钟和 I/O 控制单元的单芯片。也称为片上计算机

microcontroller: A single chip that contains the processor, non-volatile memory for the program (ROM or flash), volatile memory for input and output (RAM), a clock and an I/O control unit. Also called a computer on a chip.

 

微处理器:一种处理器,其元件已小型化为一个或几个集成电路。

microprocessor: A processor whose elements have been miniaturized into one or a few integrated circuits.

 

多协议标签交换 (MPLS): IETF 开发的一种协议,用于在广域 IP 网络或其他 WAN 中引导数据包。MPLS为每个数据包添加一个32位标签提高网络效率并使路由器能够根据所需的服务质量沿着预定义的路由引导数据包。

Multiprotocol Label Switching (MPLS): A protocol developed the IETF for directing packets in a wide-area IP network, or other WAN. MPLS adds a 32-bit label to each packet to improve network efficiency and to enable routers to direct packets along predefined routes in accordance with the required quality of service.

 

网络即服务(NaaS):通过云计算提供的服务,其中向云服务客户提供的功能是传输连接和相关网络功能。

Network as a Service (NaaS): A service offered via cloud computing in which the capability provided to the cloud service customer is transport connectivity and related network capabilities.

 

网络融合:在单一网络内提供电话、视频和数据通信服务。

network convergence: The provision of telephone, video, and data communication services within a single network.

 

网络接口卡:安装在计算机中的适配器电路板,用于提供与网络的物理连接。

network interface card: An adapter circuit board installed in a computer to provide a physical connection to a network.

 

网络功能虚拟化:网络功能的虚拟化,通过软件实现这些功能并在虚拟机上运行。

network functions virtualization: The virtualization of network functions by implementing these functions in software and running them on virtual machines.

 

网络操作系统(NOS):面向计算机网络的基于服务器的操作系统。它可能包括目录服务、网络管理、网络监控、网络策略、用户组管理、网络安全和其他与网络相关的功能。

network operating system (NOS): A server-based operating system oriented to computer networking. It may include directory services, network management, network monitoring, network policies, user group management, network security and other network-related functions.

 

网络提供商:在通常较大的地理区域内提供通信服务的组织。它提供、维护和管理公共或私有的网络设备和网络。

network provider: An organization that delivers communications services over a typically large geographic area. It provides, maintains, and manages network equipment and networks, either public or private.

 

北向API:在SDN环境中,控制平面和应用平面之间的接口。

northbound API: In an SDN environment, the interface between the control and application planes.

 

开放服务网关计划 (OSGi):定义 Java 动态组件系统的一组规范。这些规范通过为大规模分布式系统以及小型嵌入式应用程序提供模块化架构来降低软件复杂性。

Open Service Gateway Initiative (OSGi): A set of specifications that defines a dynamic component system for Java. These specifications reduce software complexity by providing a modular architecture for large-scale distributed systems as well as small, embedded applications.

 

开放标准:基于开放决策程序制定的标准,可供所有相关方实施,所有人均可免版税使用,旨在促进多个供应商产品之间的互操作性。

open standard: A standard that is developed on the basis of an open decision-making procedure available for implementation to all interested parties, that is available to all on a royalty-free basis, and that is intended to promote interoperability among products from multiple vendors.

 

运营支出(OpEx):指日常业务过程中发生的业务支出,例如设备的维护和运营。

operational expenditure (OpEx): Refers to business expenses incurred in the course of ordinary business, such as maintenance and operation of equipment.

 

运营技术 (OT):通过直接监视和/或控制企业中的物理设备、流程和事件来检测或引起变化的硬件和软件。

operational technology (OT): Hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise.

 

运营支持系统 (OSS):支持运营网络、提供和维护客户服务的后台活动的软件(有时是硬件)应用程序。OSS 通常由服务提供商中的网络规划人员、服务设计人员、运营、架构师、支持和工程团队使用。

operations support system (OSS): Software (occasionally hardware) applications that support back-office activities which operate a network, and provision and maintain customer services. OSS is typically used by network planners, service designers, operations, architects, support, and engineering teams in the service provider.

 

数据包:通过网络发送的数据单元。数据包是一组包含数据和协议控制信息的位。该术语通常适用于网络层的协议数据单元。

packet: A unit of data sent across a network. A packet is a group of bits that includes data plus protocol control information. The term generally applies to protocol data units at the network layer.

 

数据包转发:路由器执行的功能,在输入链路上接受数据包并在输出链路上传输它。

packet forwarding: The function performed by a router of accepting a packing on an input link and transmitting it on an output link.

 

数据包交换:一种通过通信网络传输消息的方法,其中长消息被细分为短数据包。每个数据包都通过中间节点从源传递到目的地。在每个节点,整个消息被接收,短暂存储,然后转发到下一个节点。

packet switching: A method of transmitting messages through a communications network, in which long messages are subdivided into short packets. Each packet is passed from source to destination through intermediate nodes. At each node, the entire message is received, stored briefly, and then forwarded to the next node.

 

对等:处于同一级别或提供相同功能。在网络中,对等点是提供与另一个节点相同功能的节点。例如,网络中的两台台式电脑是对等的。台式电脑和服务器不是对等的,因为它们执行不同的操作。桌面PC可以向服务器查询业务数据,但服务器不会向PC查询相同的数据。

peer: On the same level or providing the same function. In networking, a peer is a node that provides the same functionality as another. For example, two desktop PCs in a network are peers. A desktop PC and a server are not peers as they perform different operations. The desktop PC may query the server for business data, but the server does not query the PC for the same data.

 

对等:两个路由器之间接受对方数据包并转发它们的协议。对等关系通常涉及路由信息的交换。

peering: An agreement between two routers to accept each other’s data packets and forward them. A peer relationship generally involves the exchange of routing information.

 

平台即服务 (PaaS):通过云计算提供的一组功能,云服务客户可以使用一种或多种编程语言以及由云服务支持的一个或多个执行环境来部署、管理和运行客户创建或客户获取的应用程序云服务提供商。

Platform as a Service (PaaS): A group of capabilities offered via cloud computing in which the cloud service customer can deploy, manage and run customer-created or customer-acquired applications using one or more programming languages and one or more execution environments supported by the cloud service provider.

 

以太网供电 (PoE):通过以太网电缆向未插入交流墙壁插座的目标设备供电。PoE 使远程网络设备能够位于远离交流电源的位置。

Power over Ethernet (PoE): Distributing power over an Ethernet cable to a target device that is not plugged into an AC wall outlet. PoE enables remote network devices in locations far away from AC sources.

 

电力线载波 (PLC):一种数据网络,使用建筑物的电力系统作为传输介质,并使用常规墙壁插座作为连接点。它通常用于将有线以太网网络延伸到另一个房间。

powerline carrier (PLC): A data network that uses a building’s electrical system as the transmission medium and regular wall outlets as connecting points. It is commonly used to extend a wired Ethernet network into another room.

 

精度:同一属性重复测量的一致程度,定量表示为根据一系列测量结果计算出的标准偏差。

precision: The degree of agreement of repeated measurements of the same property, expressed quantitatively as the standard deviation computed from the results of the series of measurements.

 

协议:一组语义和语法规则,描述如何传输数据,尤其是通过网络传输数据。低级协议定义了要遵守的电气和物理标准、位和字节排序以及位流的传输和错误检测与纠正。高层协议处理数据格式化,包括消息语法、消息语义、字符集和消息排序。

protocol: A set of semantic and syntactic rules that describe how to transmit data, especially across a network. Low-level protocols define the electrical and physical standards to be observed, bit- and byte-ordering, and the transmission and error detection and correction of the bit stream. High-level protocols deal with the data formatting, including the syntax of messages, semantics of messages, character sets, and sequencing of messages.

 

协议架构:实现通信功能的软件结构。通常,协议体系结构由一组分层协议组成,每层有一个或多个协议。

protocol architecture: The software structure that implements the communications function. Typically, the protocol architecture consists of a layered set of protocols, with one or more protocols at each layer.

 

协议控制信息:给定层的实体之间通过下一个较低层提供的服务交换的信息,以协调它们的联合操作。

protocol control information: Information exchanged between entities of a given layer, via the service provided by the next lower layer, to coordinate their joint operation.

 

协议数据单元 (PDU):作为网络对等实体之间的单元传递的信息。PDU 通常在标头中包含控制信息和地址信息。PDU 还可以包含数据。

protocol data unit (PDU): Information that is delivered as a unit between peer entities of a network. A PDU typically contains control information and address information in a header. The PDU may also contain data.

 

体验质量 (QoE):系统性能的主观衡量标准。QoE 依赖于人的意见,与可以精确测量的服务质量 (QoS) 不同。

quality of experience (QoE): A subjective measure of performance in a system. QoE relies on human opinion and differs from quality of service (QoS), which can be precisely measured.

 

服务质量(QoS):网络服务的可测量的端到端性能属性,可以通过用户和服务提供商之间的服务级别协议预先保证,以满足特定的客户应用需求。注意:这些属性可能包括吞吐量(带宽)、传输延迟(延迟)、错误率、优先级、安全性、数据包丢失、数据包抖动等。

quality of service (QoS): The measurable end-to-end performance properties of a network service, which can be guaranteed in advance by a service level agreement between a user and a service provider, so as to satisfy specific customer application requirements. Note: These properties may include throughput (bandwidth), transit delay (latency), error rates, priority, security, packet loss, packet jitter, and so on.

 

射频识别 (RFID):一种数据收集技术,使用附着在物品上的电子标签,使远程系统能够识别和跟踪物品。该标签由附着在天线上的 RFID 芯片组成。

radio-frequency identification (RFID): A data collection technology that uses electronic tags attached to items to allow the items to be identified and tracked by a remote system. The tag consists of an RFID chip attached to an antenna.

 

实时:按要求快。实时系统必须足够快地响应信号、事件或请求以满足某些要求。

real time: As fast as required. A real-time system must respond to a signal, event or request fast enough to satisfy some requirement.

 

实时流量:必须满足低抖动、低延迟等实时性要求的数据流。

real-time traffic: A data flow that must meet real-time requirements, such as low jitter and low delay.

 

征求意见 (RFC):档案系列中的文档,是互联网协会出版物(包括 IETF 和 IRTF 出版物)的官方渠道。RFC 可以是信息性的、最佳实践、标准草案或官方互联网标准。

Request For Comments (RFC): A document in the archival series that is the official channel for publications of the Internet Society, including IETF and IRTF publications. An RFC may be informational, best practice, draft standard, or an official Internet Standard.

 

分辨率:将测量量划分为的最小可区分增量。

resolution: The smallest distinguishable increment into which a measured quantity is divided.

 

基于角色的访问控制 (RBAC):根据用户在系统中拥有的角色以及规定给定角色的用户允许哪些访问的规则来控制访问。

role-based access control (RBAC): Controls access based on the roles that users have within the system and on rules stating what accesses are allowed to users in given roles.

 

路由器:一种将数据包从一个网络转发到另一个网络的网络设备。转发决策基于网络层信息和路由表,通常由路由协议构建。路由器需要采用可路由协议格式化的数据包,全球标准是互联网协议 (IP)。

router: A network device that forwards data packets from one network to another. The forwarding decision is based on network layer information and routing tables, often constructed by routing protocols. Routers require packets formatted in a routable protocol, the global standard being the Internet Protocol (IP).

 

路由:确定数据单元(帧、数据包、消息)从源到目的地所经过的路径。

routing: The determination of a path that a data unit (frame, packet, message) will traverse from source to destination.

 

路由协议:路由器用来确定数据转发到的适当路径的协议。路由协议还指定路由器如何报告变化并与网络中它们可以到达的其他路由器共享信息。

routing protocol: A protocol used by routers to determine the appropriate path onto which data should be forwarded. The routing protocol also specifies how routers report changes and share information with the other routers in the network that they can reach.

 

横向扩展:扩展单个物理机或虚拟机的能力。

scale out: Expand the capability of a single physical machine or virtual machine.

 

纵向扩展:通过添加额外的物理或虚拟机来扩展功能。

scale up: Expand capability by adding additional physical or virtual machines.

 

传感器:将物理、生物或化学参数转换为电信号的装置。

sensor: A device that converts a physical, biological, or chemical parameter into an electrical signal.

 

服务提供商:可以向最终用户提供服务的网络可访问实体。

service provider: A network-accessible entity that can provide services to an end user.

 

软件即服务 (SaaS):通过云计算提供的一组功能,云服务客户可以在其中使用云服务提供商的应用程序。

Software as a Service (SaaS): A group of capabilities offered via cloud computing in which the cloud service customer can use the cloud service provider’s applications.

 

软件定义网络 (SDN):一种设计、构建和运营大规模网络的方法,其基础是通过软件对路由器和交换机中的转发决策进行编程中央服务器。SDN 与传统网络不同,传统网络需要单独配置每个设备,并且依赖于无法更改的协议。

software-defined networking (SDN): An approach to designing, building and operating large-scale networks based on programming the forwarding decisions in routers and switches via software from a central server. SDN differs from traditional networking, which requires configuring each device separately and which relies on protocols that cannot be altered.

 

软件定义存储 (SDS):一种数据存储管理和使用方法,其中控制存储相关任务的软件与物理存储硬件分离。

software-defined storage (SDS): An approach to data storage management and use in which the software that controls storage-related tasks is decoupled from the physical storage hardware.

 

南向API:在SDN环境中,控制平面和数据平面之间的接口。

southbound API: In an SDN environment, the interface between the control and data planes.

 

标准:提供可一致使用的要求、规范、指南或特征的文件,以确保材料、产品、流程和服务适合其目的。标准是由参与标准制定组织的人员协商一致制定的,并由公认的机构批准。

standard: A document that provides requirements, specifications, guidelines, or characteristics that can be used consistently to ensure that materials, products, processes, and services are fit for their purpose. Standards are established by consensus among those participating in a standards-making organization and are approved by a generally recognized body.

 

标准制定组织 (SDO):官方的国家、地区或国际标准机构,负责制定标准和/或协调特定国家、地区或世界的标准活动。一些 SDO 通过支持技术委员会的活动来促进标准的制定,有些可能直接参与标准的制定。

standards-developing organization (SDO): An official national, regional, or international standards body that develop standards and/or that coordinate the standards activities of a specific country, region or the world. Some SDOs facilitate the development of standards through support of technical committee activities, and some may be directly involved in standards development.

 

TCP/IP 协议体系结构:围绕 TCP 和 IP 协议构建的协议体系结构,由五层组成:物理层、数据链路层、网络/互联网层(通常是 IP)、传输层(通常是 TCP 或 UDP)和应用程序层。

TCP/IP protocol architecture: The protocol architecture built around the TCP and IP protocols, consisting of five layers: physical, data link, network/internet (usually IP), transport (usually TCP or UDP), and application.

 

令牌桶:一种数据流控制机制,它以周期性时间间隔将令牌添加到缓冲区(桶)中,并且仅当桶中令牌数量至少与数据包长度一样多时才允许数据包离开发送方包。该策略允许精确控制网络中两个数据包之间的时间间隔。

token bucket: A data-flow control mechanism that adds tokens in periodical time intervals into a buffer (bucket) and allows a data packet to leave the sender only if there are at least as many tokens in the bucket as the packet length of the data packet. This strategy allows precise control of the time interval between two data packets in the network.

 

架顶 (ToR) 交换机:一种刀片服务器布置,其中服务器连接到安装在机架内的一个或两个以太网交换机。交换机的实际物理位置不一定需要位于机架顶部。其他交换机位置可以是机架底部或机架中部。然而,由于更容易访问和更干净的电缆管理,机架顶部是最常见的。

top-of-rack (ToR) switch: A blade server arrangement in which servers connect to one or two Ethernet switches installed inside the rack. The actual physical location of the switch does not necessarily need to be at the top of the rack. Other switch locations could be bottom of the rack or middle of rack. However, top of the rack is most common due to easier accessibility and cleaner cable management.

 

流量工程:网络工程的一个方面,处理运营网络的性能评估和性能优化问题。流量工程包括将技术和科学原理应用于网络流量的测量、表征、建模和控制。

traffic engineering: That aspect of network engineering dealing with the issues of performance evaluation and performance optimization of operational networks. Traffic engineering encompasses the application of technology and scientific principles to the measurement, characterization, modeling, and control of network traffic.

 

收发器:既可以发送又可以接收信息的设备。

transceiver: A device that can both transmit and receive information.

 

单播:只有一台主机能够识别的地址。通过单播寻址,即使多个用户可能同时从同一服务器请求相同的数据,也会传输重复的数据流,每个用户一个。

unicast: An address which only one host will recognize. With unicast addressing, even though multiple users might request the same data from the same server at the same time, duplicate data streams are transmitted, one to each user.

 

统一通信:即时消息、状态信息、语音(包括 IP 电话)、网络和视频会议以及语音识别等实时企业通信服务与统一消息等非实时通信服务的集成集成语音邮件、电子邮件、短信和传真)。

unified communications: The integration of real-time, enterprise, communication services such as instant messaging, presence information, voice (including IP telephony), web and video conferencing, and speech recognition with non-real-time communication services such as unified messaging (integrated voicemail, e-mail, SMS, and fax).

 

统一资源标识符 (URI):标识抽象或物理资源的紧凑字符序列。URI 规范 (RFC 3986) 定义了用于编码任意命名或寻址方案的语法,并提供了此类方案的列表。URL(统一资源定位符)是URI的一种,其中指定了访问协议并提供了特定的互联网地址。

Uniform Resource Identifier (URI): A compact sequence of characters that identifies an abstract or physical resource. The URI specification (RFC 3986) defines a syntax for encoding arbitrary naming or addressing schemes, and provides a list of such schemes. The URL (Uniform Resource Locator) is a type of URI, in which an access protocol is designated and a specific Internet address is provided.

 

虚拟局域网 (VLAN):物理分组交换网络之上的虚拟网络抽象。VLAN 本质上是一组指定交换机的广播域。这些交换机需要知道 VLAN 的存在并进行相应配置,以便在属于同一 VLAN 的设备之间执行数据包交换。

virtual local-area network (VLAN): A virtual network abstraction on top of a physical packet-switched network. A VLAN is essentially a broadcast domain for a specified set of switches. These switches are required to be aware of the existence of VLANs and configured accordingly, to perform switching of packets between devices belonging to the same VLAN.

 

虚拟机:操作系统的一个实例以及在计算机内的独立分区中运行的一个或多个应用程序。它允许不同的操作系统同时在同一台计算机上运行,​​并防止应用程序相互干扰。

virtual machine: One instance of an operating system along with one or more applications running in an isolated partition within the computer. It enables different operating systems to run in the same computer at the same time as well as prevents applications from interfering with each other.

 

虚拟机监视器(VMM):提供虚拟机环境的系统程序。也称为虚拟机管理程序。

virtual machine monitor (VMM): A system program that provides a virtual machine environment. Also called a hypervisor.

 

虚拟网络:某些上层软件层所看到的物理网络资源的抽象。虚拟网络技术使网络提供商能够支持多个彼此隔离的虚拟网络。单个虚拟网络的用户不知道底层物理网络或共享物理网络资源的其他虚拟网络流量的详细信息。

virtual network: An abstraction of physical network resources as seen by some upper software layer. Virtual network technology enables a network provider to support multiple virtual networks that are isolated from one another. Users of a single virtual network are not aware of the details of the underlying physical network or of the other virtual network traffic sharing the physical network resources.

 

虚拟专用网络 (VPN):在较低协议层中使用加密和身份验证,通过其他不安全的网络(通常是 Internet)提供安全连接。VPN 通常比使用专用线路的真实专用网络便宜,但依赖于两端具有相同的加密和身份验证系统。加密可以由防火墙软件或者可能由路由器来执行。

virtual private network (VPN): The use of encryption and authentication in the lower protocol layers to provide a secure connection through an otherwise unsecure network, typically the Internet. VPNs are generally cheaper than real private networks using private lines but rely on having the same encryption and authentication system at both ends. The encryption may be performed by firewall software or possibly by routers.

 

虚拟化:通过在软件和物理硬件之间提供抽象层来管理计算机资源的各种技术。这些技术有效地用软件模拟或模拟硬件平台,例如服务器、存储设备或网络资源。

virtualization: A variety of technologies for managing computer resources by providing an abstraction layer between the software and the physical hardware. These technologies effectively emulate or simulate a hardware platform, such as a server, storage device, or network resource, in software.

 

Wi-Fi:指由IEEE 802.11委员会标准化的无线局域网技术。Wi-Fi一词是指经过Wi-Fi联盟认证、符合802.11标准并通过互操作性测试的产品。

Wi-Fi: Refers to the wireless LAN technology standardized by the IEEE 802.11 committee. The term Wi-Fi designates products that have been certified by the Wi-Fi Alliance to conform to the 802.11 standards and have passed interoperability tests.

 

指数

Index

 

符号

Symbols

 

1 Gbps 以太网,15 - 16

1-Gbps Ethernet, 15-16

 

1G(第一代)蜂窝网络,23

1G (first generation) cellular networks, 23

 

2G(第二代)蜂窝网络,23

2G (second generation) cellular networks, 23

 

2.5 Gbps 以太网,19

2.5-Gbps Ethernet, 19

 

3G(第三代)蜂窝网络,24

3G (third generation) cellular networks, 24

 

4G(第四代)蜂窝网络,24

4G (fourth generation) cellular networks, 24

 

5 Gbps 以太网,19

5-Gbps Ethernet, 19

 

5G(第五代)蜂窝网络,25

5G (fifth generation) cellular networks, 25

 

10 Gbps 以太网,16 - 17

10-Gbps Ethernet, 16-17

 

25 Gbps 以太网,18

25-Gbps Ethernet, 18

 

50 Gbps 以太网,18

50-Gbps Ethernet, 18

 

100 Gbps 以太网,17

100-Gbps Ethernet, 17

 

400 Gbps 以太网,19

400-Gbps Ethernet, 19

 

A

A

 

AAA(身份验证、授权和计费),126 - 127

AAA (authentication, authorization, and accounting), 126-127

 

ABAP,488

ABAP, 488

 

抽象

abstractions

 

定义, 147

defined, 147

 

国际CN,170 - 173

ICN, 170-173

 

SDN,146 - 149

SDN, 146-149

 

抽象,147 - 149

abstractions, 147-149

 

狂热,150 - 152

Frenetic, 150-152

 

滥用安全威胁,450

abuse security threats, 450

 

访问, 10

access, 10

 

大数据问题,48

big data concerns, 48

 

控制RFID技术,388

control RFID technology, 388

 

设施, 6

facilities, 6

 

管理

management

 

云安全,448

cloud security, 448

 

SecaaS,455

SecaaS, 455

 

问责制,436

accountability, 436

 

账户,劫持,451

accounts, hijacking, 451

 

精度(传感器),379

accuracy (sensors), 379

 

ACM 职业资源网站,489

ACM Career Resources website, 489

 

AC(附加电路),244

ACs (attachment circuits), 244

 

行动桶,108

action buckets, 108

 

可操作的 QoE,330 - 331

actionable QoE, 330-331

 

行动

actions

 

定义,101

defined, 101

 

流表,101 - 102

flow tables, 101-102

 

VTN 流量过滤器,256

VTN flow filter, 256

 

主动测量技术,295

active measurement techniques, 295

 

执行装置(物联网),396

actuating devices (IoT), 396

 

执行器, 29 , 380 - 381

actuators, 29, 380-381

 

地址

addresses

 

广播, 231

broadcast, 231

 

单播,231

unicast, 231

 

准入控制

admission control

 

ISA,275

ISA, 275

 

交通, 271

traffic, 271

 

Adobe 体验经理,489

Adobe Experience Manager, 489

 

AF(保证转发)PHB,288 - 289

AF (assured forwarding) PHB, 288-289

 

代理人

agents

 

物联网,399

IoT, 399

 

管理,275

management, 275

 

体验质量,337 - 339

QoE, 337-339

 

聚合路由器,8

aggregation routers, 8

 

敏捷软件开发,471

agile software development, 471

 

敏捷

agility

 

云计算,50

cloud computing, 50

 

内华达州,253

NV, 253

 

算法,路由,273

algorithms, routing, 273

 

电信行业解决方案联盟 (ATIS),89

Alliance for Telecommunications Industry Solutions (ATIS), 89

 

所有类型 团体类型, 108

all type group type, 108

 

ALM(应用程序生命周期管理),473

ALM (application lifecycle management), 473

 

亚马逊网络服务(AWS),482

Amazon Web Services (AWS), 482

 

分析

analytics

 

大数据,46

big data, 46

 

思科物联网系统,424 - 425

Cisco IoT system, 424-425

 

定义, 46

defined, 46

 

物联网,30

IoT, 30

 

安西布尔,489

Ansible, 489

 

防伪RFID技术,388

anti-counterfeiting RFID technology, 388

 

阿帕奇卡夫卡,489

Apache Kafka, 489

 

API(应用程序编程接口),83

APIs (application programming interfaces), 83

 

云安全,450

cloud security, 450

 

定义,83

Defined, 83

 

QoE 监控层,337

QoE monitoring layers, 337

 

休息,130 - 132

REST, 130-132

 

SDN,83

SDN, 83

 

SDN北向控制器,117

SDN northbound controller, 117

 

应用层(IWF物联网参考模型),407

application level (IWF IoT reference model), 407

 

应用

applications

 

收敛,30

convergence, 30

 

发展, 471

development, 471

 

弹性,39

elastic, 39

 

支持平台组件(思科物联网系统),426

enablement platform component (Cisco IoT system), 426

 

生命周期管理(ALM),473

lifecycle management (ALM), 473

 

处理器,383

processors, 383

 

编程接口。查看 API

programming interfaces. See APIs

 

供应商, 6

providers, 6

 

QoE/QoS 视频服务映射模型,328 - 329

QoE/QoS video services mapping models, 328-329

 

实时,43

real-time, 43

 

无线射频识别,387 - 389

RFID, 387-389

 

SDI,258

SDI, 258

 

SDN, 85 , 145 - 147

SDN, 85, 145-147

 

应用程序, 147

applications, 147

 

数据中心网络,162 - 168

data center networking, 162-168

 

国际CN,168 - 173

ICN, 168-173

 

测量,157

measurement, 157

 

移动/无线,168

mobility/wireless, 168

 

监控,157

monitoring, 157

 

网络服务抽象层,146 - 152

network services abstraction layer, 146-152

 

北向接口,146

northbound interface, 146

 

安全, 157 - 159 , 162

security, 157-159, 162

 

交通工程,153 - 156

traffic engineering, 153-156

 

用户界面,147

user interfaces, 147

 

服务等级特征,41

service class characteristics, 41

 

服务提供商,7

service providers, 7

 

架构

architectures

 

云计算

cloud computing

 

ITU-T 云计算参考,365 - 368

ITU-T cloud computing reference, 365-368

 

NIST 云计算参考,361 - 365

NIST cloud computing reference, 361-365

 

云NaaS,167

CloudNaaS, 167

 

云安全,448

cloud security, 448

 

防御4全部,160 - 162

Defense4All, 160-162

 

开发运营,472

DevOps, 472

 

企业局域网,12

enterprise LAN, 12

 

不断变化的趋势

evolving trends

 

复杂的交通模式,78

complex traffic patterns, 78

 

需求增加,77

demand increases, 77

 

架构不足,79 - 80

inadequate architectures, 79-80

 

供应增加,77

supply increases, 77

 

全球,7 - 8

global, 7-8

 

层次结构, 9

hierarchy, 9

 

访问, 10

access, 10

 

核心, 11

core, 11

 

分布, 10

distribution, 10

 

不足, 79

inadequate, 79

 

物联网

IoT

 

福利,395

benefits, 395

 

ITU-T 参考模型,395 - 401

ITU-T reference model, 395-401

 

IWF 参考模型,401 - 408

IWF reference model, 401-408

 

马诺,217

MANO, 217

 

NFV 参考,193 - 194

NFV reference, 193-194

 

实施,196

implementation, 196

 

管理/编排,194

management/orchestration, 194

 

参考点,195

reference points, 195

 

内华达州,250 - 252

NV, 250-252

 

开放日光,122

OpenDaylight, 122

 

基本网络服务功能,124

base network service functions, 124

 

控制平面/应用平面功能,123

control plane/application plane functionality, 123

 

灵活性,123

flexibility, 123

 

氦气,124

Helium, 124

 

层数,122

layers, 122

 

模块,125 - 127

modules, 125-127

 

萨尔,123

SAL, 123

 

SDNI, 141 - 142

SDNi, 141-142

 

PolicyCop 申请,154

PolicyCop application, 154

 

服务质量,268

QoS, 268

 

控制平面,271 - 272

control plane, 271-272

 

数据平面,269 - 271

data plane, 269-271

 

管理平面,272

management plane, 272

 

休息

REST

 

API 示例,130 - 132

API example, 130-132

 

限制,128 - 130

constraints, 128-130

 

定义, 128

defined, 128

 

URI,129

URIs, 129

 

SDI,261 - 262

SDI, 261-262

 

SDN 高级(ITU-T Y.3300),120 - 121

SDN high-level (ITU-T Y.3300), 120-121

 

安全数据表,259

SDS, 259

 

SLA,292

SLAs, 292

 

TCP/IP,79

TCP/IP, 79

 

传统,79 - 80

traditional, 79-80

 

UC

UC

 

音频会议,34

audio conferencing, 34

 

福利, 36

benefits, 36

 

收敛,35

convergence, 35

 

定义, 33

defined, 33

 

元素,33 - 35

elements, 33-35

 

即时通讯,34

instant messaging, 34

 

IP 支持联络中心,35

IP enabling contact centers, 35

 

流动性, 35

mobility, 35

 

存在, 35

presence, 35

 

RTC 仪表板,33

RTC dashboard, 33

 

统一消息传递,34

unified messaging, 34

 

视频会议,34

video conferencing, 34

 

网络会议,34

web conferencing, 34

 

用例 (NFV),222 - 223

use cases (NFV), 222-223

 

虚拟机,180 - 183

VMs, 180-183

 

越南电信,257

VTN, 257

 

ARP操作码字段(流表匹配字段),100

ARP opcode field (flow table match fields), 100

 

AS(自治系统),58

AS (autonomous systems), 58

 

放心转发 (AF) PHB,288 - 289

assured forwarding (AF) PHB, 288-289

 

异步消息,109

asynchronous messages, 109

 

ATIS(电信行业解决方案联盟),89

ATIS (Alliance for Telecommunications Industry Solutions), 89

 

连接电路 (AC),244

attachment circuits (ACs), 244

 

攻击面

attack surfaces

 

网络功能虚拟化,441 - 444

NFV, 441-444

 

SDN,437

SDN, 437

 

音频会议,34

audio conferencing, 34

 

身份验证, 438

authentication, 438

 

身份验证、授权和计费 (AAA),126 - 127

authentication, authorization, and accounting (AAA), 126-127

 

真实性, 435

authenticity, 435

 

自治系统(AS),58

autonomous systems (AS), 58

 

可用性

availability

 

云安全,448 - 449

cloud security, 448-449

 

安全要求,435

security requirement, 435

 

SLA,292

SLAs, 292

 

AWS(亚马逊网络服务)认证计划,482

AWS (Amazon Web Services) certification programs, 482

 

B

 

骨干网络。查看 核心网络

backbone networks. See core networks

 

背压,64

backpressure, 64

 

带宽

bandwidth

 

3G 蜂窝网络,24

3G cellular networks, 24

 

横截面,163

cross-section, 163

 

“光传输网络中核心节点和聚合节点的带宽需求”网站,37

“Bandwidth Needs in Core and Aggregation Nodes in the Optical Transport Network” website, 37

 

灯塔,115

Beacon, 115

 

行为聚合,280

behavior aggregates, 280

 

好处

benefits

 

云计算,27

cloud computing, 27

 

收敛,32

convergence, 32

 

弹性流量,40

elastic traffic, 40

 

网络功能虚拟化,191 - 192

NFV, 191-192

 

内华达州,252

NV, 252

 

加州大学,36

UC, 36

 

尽力送货服务,267

best effort delivery service, 267

 

BGP(边界网关协议),136

BGP (Border Gateway Protocol), 136

 

定义, 136

defined, 136

 

函数, 136

functions, 136

 

邻居收购/可达性,136

neighbor acquisitions/reachability, 136

 

网络可达性,137

network reachability, 137

 

开放日光,126

OpenDaylight, 126

 

SDN,138 - 140

SDN, 138-140

 

大数据,45

big data, 45

 

分析,46

analytics, 46

 

应用程序(SDN),163 - 164

applications (SDN), 163-164

 

关注领域,48

areas of concern, 48

 

定义, 45

defined, 45

 

生态系统示例,46 - 48

ecosystem example, 46-48

 

基础设施, 46

infrastructures, 46

 

三个V,48

three V’s, 48

 

二进制显式拥塞信令,66

binary explicit congestion signaling, 66

 

基于黑盒媒体的 QoE/QoS 映射模型,323 - 325

black-box media-based QoE/QoS mapping models, 323-325

 

刀片服务器,14

blade servers, 14

 

边界网关协议(BGP),136

Border Gateway Protocol (BGP), 136

 

边界节点(DiffServ),280

boundary nodes (DiffServ), 280

 

广播地址,231

broadcast addresses, 231

 

广播域,231

broadcast domains, 231

 

锦缎

Brocade

 

移动分析 DevOps 相关产品,479

Mobile Analytics DevOps related products, 479

 

NFV 认证,481

NFV certification, 481

 

建筑物物联网服务,377

buildings IoT services, 377

 

批量传输容量指标,294

bulk transfer capacity metric, 294

 

业务连续性,456

business continuity, 456

 

业务驱动的融合,31

business-driven convergence, 31

 

C

C

 

CaaS(通信即服务),355 - 357

CaaS (Communications as a Service), 355-357

 

缓存约束(REST),129

cache constraint (REST), 129

 

缓存,170

caching, 170

 

资本支出(资本支出),191

CapEx (capital expenditure), 191

 

节省资本成本,253

capital cost savings, 253

 

资本支出(CapEx),191

capital expenditure (CapEx), 191

 

CAPM(项目管理认证助理),485

CAPM (Certified Associate in Project Management), 485

 

职业(IT)

careers (IT)

 

认证计划,480 - 487

certification programs, 480-487

 

云计算,482 - 483

cloud computing, 482-483

 

IT 安全,487

IT security, 487

 

网络,484

networking, 484

 

项目管理,485

project management, 485

 

SDN,481

SDN, 481

 

系统工程师,486

systems engineer, 486

 

虚拟化,481 - 483

virtualization, 481-483

 

新兴角色,467

emerging roles, 467

 

职责,467 - 469

responsibilities, 467-469

 

SDN/NFV 影响,469 - 470

SDN/NFV impacts, 469-470

 

在线资源,489 - 490

online resources, 489-490

 

概述网站,490

overview website, 490

 

需求技能,488 - 489

skills in demand, 488-489

 

运营商以太网,14

carrier Ethernet, 14

 

卡桑德拉,488

Cassandra, 488

 

CBWFQ(基于类别的 WFQ),279

CBWFQ (class-based WFQ), 279

 

CCA-V(Citrix 认证助理 - 虚拟化),484

CCA-V (Citrix Certified Associate - Virtualization), 484

 

CCE-V(Citrix 认证专家 - 虚拟化),484

CCE-V (Citrix Certified Expert - Virtualization), 484

 

CCNx, 169 - 170

CCNx, 169-170

 

CCP-V(Citrix 认证专家 - 虚拟化),484

CCP-V (Citrix Certified Professional - Virtualization), 484

 

CDN(内容交付网络),224

CDNs (Content Delivery Networks), 224

 

CE(客户边缘),244

CE (customer edge), 244

 

蜂窝网络,23

cellular networks, 23

 

1G(第一代),23

1G (first generation), 23

 

2G(第二代),23

2G (second generation), 23

 

3G(第三代),24

3G (third generation), 24

 

4G(第四代),24

4G (fourth generation), 24

 

5G(第五代),25

5G (fifth generation), 25

 

集中控制器,133

centralized controllers, 133

 

集中式服务器群,16

centralized server farms, 16

 

认证计划,480 - 487

certification programs, 480-487

 

云计算,482 - 483

cloud computing, 482-483

 

IT 安全,487

IT security, 487

 

网络,484

networking, 484

 

项目管理,485

project management, 485

 

SDN,481

SDN, 481

 

系统工程师,486

systems engineer, 486

 

虚拟化,481 - 483

virtualization, 481-483

 

项目管理认证助理 (CAPM),485

Certified Associate in Project Management (CAPM), 485

 

渠道

channels

 

1G/2G 蜂窝网络,23

1G/2G cellular networks, 23

 

开放流,96

OpenFlow, 96

 

厨师, 488

Chef, 488

 

芯片,384 - 385

chips, 384-385

 

扼流包,65

choke packets, 65

 

思科

Cisco

 

开发网,479

DevNet, 479

 

网络认证,484

networking certifications, 484

 

物联网系统,420

IoT system, 420

 

应用程序支持平台,426

application enablement platform, 426

 

数据分析,424 - 425

data analytics, 424-425

 

雾计算,424

fog computing, 424

 

管理和自动化,426

management and automation, 426

 

网络连接,423 - 424

network connectivity, 423-424

 

安全,425 - 426

security, 425-426

 

六大支柱,421

six pillars, 421

 

性能路由(PfR),272

Performance Routing (PfR), 272

 

系统互联技术手册网站,299

Systems Internetworking Technology Handbook website, 299

 

虚拟化认证计划,481

virtualization certification programs, 481

 

CISM(认证信息安全经理),487

CISM (Certified Information Security Manager), 487

 

Citrix 认证助理 - 虚拟化 (CCA-V),484

Citrix Certified Associate - Virtualization (CCA-V), 484

 

Citrix 认证专家 - 虚拟化 (CCE-V),484

Citrix Certified Expert - Virtualization (CCE-V), 484

 

Citrix 认证专家 - 虚拟化 (CCP-V),484

Citrix Certified Professional - Virtualization (CCP-V), 484

 

基于类别的 WFQ(CBWFQ),279

class-based WFQ (CBWFQ), 279

 

类选择器 PHB,289 - 291

class selector PHB, 289-291

 

类(RFID 标签),392

classes (RFID tags), 392

 

分类器

classifiers

 

区分服务,280

DiffServ, 280

 

交通, 285

traffic, 285

 

客户端-服务器约束(REST),128

client-server constraint (REST), 128

 

云计算,350

cloud computing, 350

 

敏捷,50

agility, 50

 

建筑学

architecture

 

ITU-T 云计算参考,365 - 368

ITU-T cloud computing reference, 365-368

 

NIST 云计算参考,361 - 365

NIST cloud computing reference, 361-365

 

审计员,363

auditors, 363

 

福利, 27 , 349

benefits, 27, 349

 

经纪人, 363

brokers, 363

 

运营商, 363

carriers, 363

 

认证计划,482 - 483

certification programs, 482-483

 

云NaaS,164 - 168

CloudNaaS, 164-168

 

建筑, 167

architecture, 167

 

框架,165

framework, 165

 

基础设施即服务,166

IaaS, 166

 

虚拟机,166

VMs, 166

 

背景,27

context, 27

 

核心,50

core, 50

 

定义, 26 , 349

defined, 26, 349

 

部署模型,359 - 360

deployment models, 359-360

 

开发运营,477

DevOps, 477

 

灵活性,50

flexibility, 50

 

雾计算,比较,405

fog computing, compared, 405

 

历史, 25

history, 25

 

网络, 28

networking, 28

 

网络功能虚拟化,368 - 371

NFV, 368-371

 

NIST 特征,26

NIST characteristics, 26

 

开放源码软件,50

OSS, 50

 

性能, 50

performance, 50

 

要求,50

requirements, 50

 

可扩展性,50

scalability, 50

 

SDN,368 - 371

SDN, 368-371

 

安全, 446

security, 446

 

建筑, 448

architecture, 448

 

可审计性,449

auditability, 449

 

可用性,448 - 449

availability, 448-449

 

合规性,447

compliance, 447

 

控制装置, 457

controls, 457

 

数据保护,448 - 453

data protection, 448-453

 

治理,447

governance, 447

 

身份/访问管理,448

identity/access management, 448

 

事件响应,448

incident response, 448

 

安全即服务,453 - 456

Security as a Service, 453-456

 

共享供应商资源,449

sharing vendor resources, 449

 

软件隔离,448

software isolation, 448

 

用户保护,450

subscriber protection, 450

 

威胁,449 - 452

threats, 449-452

 

信任, 447

trust, 447

 

服务

services

 

碳酸钙即服务,355

CaaS, 355

 

云能力类型,356

cloud capability types, 356

 

康帕斯,356

CompaaS, 356

 

数字SaaS,356

DSaaS, 356

 

新兴, 357

emerging, 357

 

基础设施即服务,354 - 355

IaaS, 354-355

 

NaaS, 356

NaaS, 356

 

平台即服务,353

PaaS, 353

 

软件即服务,352 - 353

SaaS, 352-353

 

XaaS,357 - 358

XaaS, 357-358

 

存储, 28 , 350

storage, 28, 350

 

交通流量, 48

traffic flow, 48

 

互联云,50

intercloud, 50

 

云内,49

intracloud, 49

 

开放源码软件,50

OSS, 50

 

克劳德拉黑斑羚,488 - 489

Cloudera Impala, 488-489

 

CloudNaaS(云网络即服务),164 - 168

CloudNaaS (Cloud Network as a Service), 164-168

 

建筑, 167

architecture, 167

 

框架,165

framework, 165

 

基础设施即服务,166

IaaS, 166

 

虚拟机,166

VMs, 166

 

云安全联盟,453

Cloud Security Alliance, 453

 

云安全即服务。参见 SecaaS

Cloud Security as a Service. See SecaaS

 

云服务管理,364

cloud service management, 364

 

CloudShell DevOps 相关产品,479

CloudShell DevOps related products, 479

 

CM(控制管理器),417 - 420

CM (Control Manager), 417-420

 

CoAP(受限应用协议),411 - 414

CoAP (constrained application protocol), 411-414

 

按需代码约束 (REST),130

code-on-demand constraint (REST), 130

 

代码点,280

codepoints, 280

 

认知处理,307

cognitive processing, 307

 

合作, 474

collaboration, 474

 

协作/流程级别(IWF IoT 参考模型),407

collaboration/processes level (IWF IoT reference model), 407

 

商业现货 (COTS),184

commercial off-the-shelf (COTS), 184

 

通讯对象,338

Communication object, 338

 

通讯

communications

 

物联网设备,399

IoT devices, 399

 

网络(物联网),396

networks (IoT), 396

 

统一

unified

 

音频会议,34

audio conferencing, 34

 

福利, 36

benefits, 36

 

收敛,35

convergence, 35

 

定义, 33

defined, 33

 

元素,33 - 35

elements, 33-35

 

即时通讯,34

instant messaging, 34

 

IP 支持联络中心,35

IP enabling contact centers, 35

 

流动性, 35

mobility, 35

 

存在, 35

presence, 35

 

RTC 仪表板,33

RTC dashboard, 33

 

统一消息传递,34

unified messaging, 34

 

视频会议,34

video conferencing, 34

 

网络会议,34

web conferencing, 34

 

VLAN 成员资格,236

VLAN membership, 236

 

VNFC 到 VNFC,215 - 216

VNFC to VNFC, 215-216

 

通信即服务 (CaaS),355 - 357

Communications as a Service (CaaS), 355-357

 

社区云基础设施,360

community cloud infrastructure, 360

 

CompaaS(计算即服务),356

CompaaS (Compute as a Service), 356

 

组件(支持物联网的事物),377

components (IoT-enabled things), 377

 

执行器,380 - 381

actuators, 380-381

 

微控制器,381 - 386

microcontrollers, 381-386

 

RFID 技术,387 - 392

RFID technology, 387-392

 

传感器,377 - 379

sensors, 377-379

 

收发器,386

transceivers, 386

 

计算即服务 (CompaaS),356

Compute as a Service (CompaaS), 356

 

计算域

compute domain

 

定义,199

defined, 199

 

元素,205 - 208

elements, 205-208

 

电子开关,205

eswitch, 205

 

网络功能虚拟化,187

NFV, 187

 

NFVI 节点,206 - 208

NFVI nodes, 206-208

 

计算节点,206

compute nodes, 206

 

计算机工作网站,490

Computer Jobs website, 490

 

计算机科学学生资源网站,490

Computer Science Student Resources website, 490

 

ComputerWorld IT 主题中心网站,490

ComputerWorld IT Topic Center website, 490

 

调节流量 (DiffServ), 281 , 285

conditioning traffic (DiffServ), 281, 285

 

会议, 34

conferencing, 34

 

保密

confidentiality

 

安全要求,435

security requirement, 435

 

传输层安全协议, 438

TLS, 438

 

配置

configuring

 

区分服务,284

DiffServ, 284

 

局域网,231

LANs, 231

 

网络功能虚拟化,188 - 189

NFV, 188-189

 

QoE 监控,335

QoE monitoring, 335

 

VLAN,234

VLANs, 234

 

拥塞

congestion

 

回避,270

avoidance, 270

 

控制, 64

controlling, 64

 

背压,64

backpressure, 64

 

扼流包,65

choke packets, 65

 

显式信令,66 - 67

explicit signaling, 66-67

 

隐式信令,65

implicit signaling, 65

 

ISA,273

ISA, 273

 

TCP,267

TCP, 267

 

效果, 60

effects, 60

 

理想的表现,61 - 63

ideal performance, 61-63

 

实际表现,63 - 64

practical performance, 63-64

 

连接

connections

 

无障碍设施, 6

access facilities, 6

 

应用程序提供商,6 - 7

application providers, 6-7

 

内容提供商,7

content providers, 7

 

全球架构,8

global architectures, 8

 

物联网, 30 , 423 - 424

IoT, 30, 423-424

 

IP 性能指标,294

IP performance metric, 294

 

网络提供商,6

network providers, 6

 

连接级别(IWF IoT 参考模型),403

connectivity level (IWF IoT reference model), 403

 

受限应用协议 (CoAP),411 - 414

constrained application protocol (CoAP), 411-414

 

受限设备,409

constrained devices, 409

 

约束(REST),128 - 130

constraints (REST), 128-130

 

缓存,129

cache, 129

 

客户端-服务器,128

client-server, 128

 

按需编码,130

code-on-demand, 130

 

分层系统,130

layered system, 130

 

无国籍,128

stateless, 128

 

统一接口,129

uniform interface, 129

 

消费者和家庭物联网服务,376

consumer and home IoT services, 376

 

容器

containers

 

定义, 183

defined, 183

 

接口,199 - 202

interface, 199-202

 

NFVI,203

NFVI, 203

 

虚拟化,183

virtualization, 183

 

内容

content

 

交付网络 (CDN),224

Delivery Networks (CDNs), 224

 

数据包,169

packets, 169

 

供应商, 7

providers, 7

 

上下文定义,303

contextual definition, 303

 

连续数据源,44

continuous data sources, 44

 

控制层,121

control layers, 121

 

控制管理中心,417 - 420

Control Manager, 417-420

 

控制平面( SDN )68、82、113

control plane (SDN), 68, 82, 113

 

集中控制器,133

centralized controllers, 133

 

控制器实施举措,115

controller implementation initiatives, 115

 

分布式控制器,134

distributed controllers, 134

 

联合会,135

federation, 135

 

功能,113 - 114

functions, 113-114

 

HA 集群,134

HA clusters, 134

 

北向接口,117 - 119

northbound interfaces, 117-119

 

OpenDaylight 架构,122

OpenDaylight architecture, 122

 

基本网络服务功能,124

base network service functions, 124

 

控制平面/应用平面功能,123

control plane/application plane functionality, 123

 

灵活性,123

flexibility, 123

 

氦气,124

Helium, 124

 

层数,122

layers, 122

 

模块,125 - 127

modules, 125-127

 

萨尔,123

SAL, 123

 

PolicyCop 申请,155

PolicyCop application, 155

 

服务质量

QoS

 

建筑,271 - 272

architecture, 271-272

 

管理,138 - 140

management, 138-140

 

休息

REST

 

API 示例,130 - 132

API example, 130-132

 

限制,128 - 130

constraints, 128-130

 

定义, 128

defined, 128

 

路由, 119 - 120 , 137 - 138

routing, 119-120, 137-138

 

SDNi

SDNi

 

IETF,140 - 141

IETF, 140-141

 

开放日光,141 - 142

OpenDaylight, 141-142

 

南向接口,116 - 117

southbound interfaces, 116-117

 

受控负载服务,277

controlled load services, 277

 

控制器对象,338

Controller object, 338

 

控制器

controllers

 

云安全,457

cloud security, 457

 

拥堵,64

congestion, 64

 

背压,64

backpressure, 64

 

扼流包,65

choke packets, 65

 

拥堵效应,60

congestion effects, 60

 

显式信令,66 - 67

explicit signaling, 66-67

 

理想的表现,61 - 63

ideal performance, 61-63

 

隐式信令,65

implicit signaling, 65

 

实际表现,63 - 64

practical performance, 63-64

 

数据流,271 - 272

data flow, 271-272

 

SDN,68

SDN, 68

 

集中式,133

centralized, 133

 

分布式, 134

distributed, 134

 

联合会,135

federation, 135

 

功能,113 - 114

functions, 113-114

 

HA 集群,134

HA clusters, 134

 

IETF SDNi,140 - 141

IETF SDNi, 140-141

 

实施举措,115

implementation initiatives, 115

 

实施,84

implementing, 84

 

北向接口,117 - 119

northbound interfaces, 117-119

 

开放日光,122 - 127

OpenDaylight, 122-127

 

OpenDaylight SDNi,141 - 142

OpenDaylight SDNi, 141-142

 

PolicyCop 申请,155

PolicyCop application, 155

 

隐私,134

privacy, 134

 

服务质量管理,138 - 140

QoS management, 138-140

 

可靠性,133

reliability, 133

 

休息。参见 休息

REST. See REST

 

路由,119 - 120

routing, 119-120

 

域之间的路由,137 - 138

routing between domains, 137-138

 

可扩展性,133

scalability, 133

 

安全威胁,439

security threats, 439

 

南向接口,116 - 117

southbound interfaces, 116-117

 

切换消息,109

switch messages, 109

 

VTN,127

VTN, 127

 

收敛

convergence

 

应用程序, 30

applications, 30

 

福利, 32

benefits, 32

 

业务驱动,31

business-driven, 31

 

定义, 30

defined, 30

 

企业服务,30

enterprise services, 30

 

基础设施, 31

infrastructure, 31

 

加州大学建筑学,35

UC architecture, 35

 

cookie 条目(流表),99

cookie entry (flow tables), 99

 

核心网络

core networks

 

云计算,50

cloud computing, 50

 

定义, 11

defined, 11

 

高速本地,16

high-speed local, 16

 

核心路由器,8

core routers, 8

 

COTS(商业现货),184

COTS (commercial off-the-shelf), 184

 

柜台

counters

 

流表,98

flow tables, 98

 

团体桌,107

group tables, 107

 

CPE(客户端设备),224

CPE (customer premises equipment), 224

 

CQ(自定义排队),278

CQ (custom queuing), 278

 

可信度(DevOps),478

credibility (DevOps), 478

 

基于信用的显式拥塞信号,67

credit based explicit congestion signaling, 67

 

横截面带宽,163

cross-section bandwidth, 163

 

电流和电压装置,379

current and voltage devices, 379

 

客户边缘(CE),244

customer edge (CE), 244

 

客户端设备 (CPE),224

customer premises equipment (CPE), 224

 

自定义排队 (CQ),278

custom queuing (CQ), 278

 

D

D

 

数据

data

 

抽象级别(IWF IoT 参考模型),407

abstraction level (IWF IoT reference model), 407

 

积累水平(IWF IoT 参考模型),406 - 407

accumulation level (IWF IoT reference model), 406-407

 

分析, 30 , 424 - 425

analytics, 30, 424-425

 

大,45

big, 45

 

分析,46

analytics, 46

 

关注领域,48

areas of concern, 48

 

定义, 45

defined, 45

 

生态系统示例,46 - 48

ecosystem example, 46-48

 

基础设施, 46

infrastructures, 46

 

三个V,48

three V’s, 48

 

捕获设备(物联网),396

capturing devices (IoT), 396

 

运营商(物联网),396 - 397

carriers (IoT), 396-397

 

中心

centers

 

定义, 7

defined, 7

 

以太网,13

Ethernet, 13

 

以太网数据速率,17

Ethernet data rates, 17

 

SDN 应用,162 - 168

SDN applications, 162-168

 

重复数据删除,258

deduplication, 258

 

损失/泄漏,451

loss/leakage, 451

 

损失预防 (DLP),455

loss prevention (DLP), 455

 

管理服务器,46

management servers, 46

 

议案,406

motion, 406

 

数据包检查,184

packet inspection, 184

 

处理系统,46

processing systems, 46

 

保护, 448 , 452 - 453

protection, 448, 452-453

 

费率

rates

 

3G 蜂窝网络,24

3G cellular networks, 24

 

以太网,14 - 19

Ethernet, 14-19

 

无线网络连接,21 - 22

Wi-Fi, 21-22

 

来源,44

sources, 44

 

仓库, 46

warehouses, 46

 

数据采集​​对象,338

Data-Acquisition object, 338

 

电缆数据服务接口规范 (DOCSIS),126

Data Over Cable Service Interface Specification (DOCSIS), 126

 

数据平面

data plane

 

QoS 架构,269 - 271

QoS architecture, 269-271

 

SDN, 68 , 82

SDN, 68, 82

 

功能,93 - 94

functions, 93-94

 

协议,95

protocols, 95

 

安全威胁,437 - 439

security threats, 437-439

 

数据存储即服务 (DSaaS),356

Data Storage as a Service (DSaaS), 356

 

数据报,80

datagrams, 80

 

DDoS(分布式拒绝服务),127

DDoS (distributed denial-of-service), 127

 

开放日光,127

OpenDaylight, 127

 

OpenDaylight Defense4All 应用程序, 157 - 159 , 162

OpenDaylight Defense4All application, 157-159, 162

 

建筑,160 - 162

architecture, 160-162

 

上下文,158

context, 158

 

检测到的攻击,缓解,159

detected attacks, mitigating, 159

 

保护技术,158

protection techniques, 158

 

专用处理器,383

dedicated processors, 383

 

深度嵌入式系统,386

deeply embedded systems, 386

 

默认转发 PHB,287

default forwarding PHB, 287

 

Defense4All 应用程序, 157 - 159 , 162

Defense4All application, 157-159, 162

 

建筑,160 - 162

architecture, 160-162

 

上下文,158

context, 158

 

检测到的攻击,缓解,159

detected attacks, mitigating, 159

 

保护技术,158

protection techniques, 158

 

延误

delays

 

大数据,48

big data, 48

 

弹性流量,39

elastic traffic, 39

 

交通缺乏弹性,40

inelastic traffic, 40

 

紧张不安, 40

jitters, 40

 

实时路况,43

real-time traffic, 43

 

SLA,292

SLAs, 292

 

交付,302 - 303

delivery, 302-303

 

要求

demand

 

大数据,45

big data, 45

 

分析,46

analytics, 46

 

关注领域,48

areas of concern, 48

 

定义, 45

defined, 45

 

生态系统示例,46 - 48

ecosystem example, 46-48

 

基础设施, 46

infrastructures, 46

 

三个V,48

three V’s, 48

 

云计算,48

cloud computing, 48

 

核心,50

core, 50

 

互联云,50

intercloud, 50

 

云内,49

intracloud, 49

 

开放源码软件,50

OSS, 50

 

要求,50

requirements, 50

 

虚拟机,49

virtual machines, 49

 

不断变化的需求,77

evolving requirements, 77

 

移动流量,51

mobile traffic, 51

 

类别, 52

categories, 52

 

成长, 52

growth, 52

 

预测,52

projections, 52

 

无线用户,52

wireless users, 52

 

世界总数,计算中,51

world total, calculating, 51

 

部署

deployment

 

应用程序生命周期,471

applications lifecycle, 471

 

云计算,359 - 360

cloud computing, 359-360

 

互联网,29

Internet, 29

 

物联网,409

IoT, 409

 

思科物联网系统,420 - 426

Cisco IoT system, 420-426

 

ioBridge,427 - 430

ioBridge, 427-430

 

物联网。查看 物联网

IoTivity. See IoTivity

 

网络功能虚拟化,443

NFV, 443

 

NFVI 容器,203

NFVI containers, 203

 

软件定义网络

SDN

 

域,134

domains, 134

 

驱动因素,68 - 69

driving factors, 68-69

 

目的地址字段(流表匹配字段),99

destination addresses field (flow table match fields), 99

 

发展。请参阅 开发运营

development. See DevOps

 

设备

devices

 

受限,409

constrained, 409

 

发现,419

discovery, 419

 

物联网,396

IoT, 396

 

致动, 396

actuating, 396

 

通讯, 399

communication, 399

 

数据采集​​,396

data-capturing, 396

 

数据承载,396 - 397

data-carrying, 396-397

 

电流驱动,398

galvanic driving, 398

 

网关, 398

gateways, 398

 

一般,396 - 398

general, 396-398

 

红外线,397

infrared, 397

 

交互技术,397

interaction technologies, 397

 

光学,398

optical, 398

 

无线射频识别,397

RFID, 397

 

传感,396

sensing, 396

 

经理, 114

manager, 114

 

无约束,410

unconstrained, 410

 

开发网,479

DevNet, 479

 

DevOps(开发运营),471

DevOps (development operations), 471

 

ALM,473

ALM, 473

 

建筑, 472

architecture, 472

 

自动化,475

automation, 475

 

思科开发网络,479

Cisco DevNet, 479

 

云计算,477

cloud computing, 477

 

合作, 474

collaboration, 474

 

可信度, 478

credibility, 478

 

当前状态,479

current state, 479

 

定义, 471

defined, 471

 

需求,475

demand, 475

 

开发/测试,473

development/testing, 473

 

基础知识,471 - 475

fundamentals, 471-475

 

监控/优化,473

monitoring/optimizing, 473

 

网络基础设施,476 - 478

network infrastructure, 476-478

 

规划和测量,473

planning and measuring, 473

 

可编程性,477

programmability, 477

 

释放/部署,473

releasing/deploying, 473

 

相关产品,478

related products, 478

 

脚本编写,477

scripting, 477

 

版本控制系统,477

version control systems, 477

 

需求 IT 技能的 Dice 排名,488 - 489

Dice rankings of IT skills in demand, 488-489

 

DICE 网站,490

DICE website, 490

 

差异化服务代码点 (DSCP),256

differentiated services codepoint (DSCP), 256

 

DiffServ(差异化服务),279

DiffServ (differentiated services), 279

 

行为聚合,280

behavior aggregates, 280

 

边界节点,280

boundary nodes, 280

 

特征,279

characteristics, 279

 

分类器,280

classifiers, 280

 

代码点,280 - 282

codepoints, 280-282

 

配置,284

configuration, 284

 

域,280 - 281

domains, 280-281

 

下降, 280

dropping, 280

 

DS 场,280 - 282

DSField, 280-282

 

内部节点,280

interior nodes, 280

 

标记, 281

marking, 281

 

计量, 281

metering, 281

 

节点,280

node, 280

 

PHB,281 - 286

PHB, 281-286

 

放心转发,288 - 289

assured forwarding, 288-289

 

类选择器,289 - 291

class selector, 289-291

 

默认转发,287

default forwarding, 287

 

加急转发,287

expedited forwarding, 287

 

服务示例,282

service examples, 282

 

SLA,281

SLAs, 281

 

三氯乙酸,281

TCA, 281

 

术语,280

terminology, 280

 

交通调节,281 - 285

traffic conditioning, 281-285

 

数字流量渠道,23

digital traffic channels, 23

 

通过管道指令直接数据包,102

direct packet through pipeline instructions, 102

 

灾难恢复,456

disaster recovery, 456

 

丢弃数据包,273

discarding packets, 273

 

发现

discovery

 

设备, 419

devices, 419

 

链接, 120

link, 120

 

分布式拒绝服务。请参阅 DDoS

distributed denial-of-service. See DDoS

 

分配

distribution

 

抽象,149

abstraction, 149

 

控制器,134

controllers, 134

 

网络, 10

networks, 10

 

DLP(数据丢失防护),455

DLP (data loss prevention), 455

 

DLUX 用户界面,127

DLUX UI, 127

 

DOCSIS(电缆数据服务接口规范),126

DOCSIS (Data Over Cable Service Interface Specification), 126

 

domains

 

广播, 231

broadcast, 231

 

计算, 187

compute, 187

 

区分服务,280 - 281

DiffServ, 280-281

 

基础设施网络,187

infrastructure network, 187

 

网络功能虚拟化,190

NFV, 190

 

NFVI,199

NFVI, 199

 

计算,205 - 208

compute, 205-208

 

管理程序,208 - 209

hypervisor, 208-209

 

印度,209 - 213

IND, 209-213

 

逻辑结构,204

logical structure, 204

 

SDN, 133 , 137 - 138

SDN, 133, 137-138

 

双面优质型号,323

double-sided quality models, 323

 

滴管

droppers

 

区分服务,280

DiffServ, 280

 

数据包,285

packets, 285

 

DSaaS(数据存储即服务),356

DSaaS (Data Storage as a Service), 356

 

DSCP(差异化服务代码点),256

DSCP (differentiated services codepoint), 256

 

DS 场,280 - 282

DSField, 280-282

 

E

 

生态系统

ecosystem

 

应用程序提供商,6 - 7

application providers, 6-7

 

连接, 6

connections, 6

 

内容提供商,7

content providers, 7

 

数据中心,7

data centers, 7

 

雾网络,7

fog networking, 7

 

物联网(物联网),7

IoT (Internet of Things), 7

 

网络提供商,6

network providers, 6

 

用户, 5

users, 5

 

边缘计算级别(IWF IoT 参考模型),403 - 404

edge computing level (IWF IoT reference model), 403-404

 

边缘路由器,8

edge routers, 8

 

EF(加急转发)PHB,287

EF (expedited forwarding) PHB, 287

 

EGP(外部网关协议),59

EGP (exterior gateway protocol), 59

 

出端口字段(流表匹配字段),99

egress port field (flow table match fields), 99

 

出口处理,103 - 105

egress processing, 103-105

 

弹性流量

elastic traffic

 

应用程序, 39

applications, 39

 

福利, 40

benefits, 40

 

定义, 39

defined, 39

 

延误, 39

delays, 39

 

服务质量,40

QoS, 40

 

要求,39

requirements, 39

 

总经过时间,40

total elapsed time, 40

 

电动执行器,381

electric actuators, 381

 

电子产品代码 (EPC),387

electronic product codes (EPCs), 387

 

EM(元素管理),220

EM (element management), 220

 

电子邮件安全,455

e-mail security, 455

 

嵌入式系统,381 - 383

embedded systems, 381-383

 

E 型,325

E-Model, 325

 

封装数据包,111

encapsulated packets, 111

 

加密

encryption

 

1G/2G 蜂窝网络,23

1G/2G cellular networks, 23

 

云安全,456

cloud security, 456

 

终端用户。查看 用户

end users. See users

 

能源物联网服务,377

energy IoT services, 377

 

企业网络

enterprise networks

 

以太网,13

Ethernet, 13

 

局域网

LANs

 

建筑, 12

architecture, 12

 

以太网数据速率,17

Ethernet data rates, 17

 

服务, 30

services, 30

 

无线网络连接,20

Wi-Fi, 20

 

条目

entries

 

流表,98

flow tables, 98

 

团体桌,107

group tables, 107

 

EPC(电子产品代码),387

EPCs (electronic produce codes), 387

 

设备整合,253

equipment consolidation, 253

 

ERP(外部路由器协议),59 , 136

ERPs (exterior router protocols), 59, 136

 

错误检测/纠正,23

error detection/correction, 23

 

电子开关,205

eswitches, 205

 

以太网

Ethernet

 

承运人, 14

carrier, 14

 

数据中心,13

data centers, 13

 

数据速率,14

data rates, 14

 

1 Gbps,15 - 16

1-Gbps, 15-16

 

2.5/5-Gbps,19

2.5/5-Gbps, 19

 

10 Gbps,16 - 17

10-Gbps, 16-17

 

25/50-Gbps,18

25/50-Gbps, 18

 

100 Gbps,17

100-Gbps, 17

 

400 Gbps,19

400-Gbps, 19

 

定义, 11

defined, 11

 

企业, 13

enterprise, 13

 

家园, 12

homes, 12

 

局域网连接,8

LAN connections, 8

 

地铁, 14

metro, 14

 

办公室, 12

offices, 12

 

源端口字段(流表匹配字段),99

source port field (flow table match fields), 99

 

标准,14

standards, 14

 

type字段(流表匹配字段),99

type field (flow table match fields), 99

 

广域网,14

WANs, 14

 

Wi-Fi 组合,12

Wi-Fi combination, 12

 

以太网联盟,14

The Ethernet Alliance, 14

 

ETSI (欧洲电信标准协会)88、444 - 446

ETSI (European Telecommunications Standards Institute), 88, 444-446

 

尤里卡凯尔特人,304

Eureka Celtic, 304

 

基于事件的消息,111

event-based messages, 111

 

事件, 308

events, 308

 

加急转发 (EF) PHB,287

expedited forwarding (EF) PHB, 287

 

显式拥塞信令,66 - 67

explicit congestion signaling, 66-67

 

外部网关协议 (EGP),59

exterior gateway protocol (EGP), 59

 

外部路由器协议 (ERP), 59 , 136

exterior router protocols (ERPs), 59, 136

 

F

F

 

面孔, 170

faces, 170

 

公平排队,279

fair queuing, 279

 

快速故障转移组类型,109

fast failover group type, 109

 

FEC(转发等价类),244

FEC (forwarding equivalence class), 244

 

联合会,135

federation, 135

 

FIFO(先进先出),277

FIFO (first-in, first-out), 277

 

第五代 (5G) 蜂窝网络,25

fifth generation (5G) cellular networks, 25

 

第一代 (1G) 蜂窝网络,23

first generation (1G) cellular networks, 23

 

固定接入网络功能,225

fixed access network functions, 225

 

标志条目(流表),99

flags entry (flow tables), 99

 

灵活性

flexibility

 

云计算,50

cloud computing, 50

 

内华达州,253

NV, 253

 

OpenDaylight 架构,123

OpenDaylight architecture, 123

 

泛光灯,115

Floodlight, 115

 

流量

flows

 

避免拥堵,270

congestion avoidance, 270

 

控制,271 - 272

controlling, 271-272

 

ISA,273

ISA, 273

 

计量, 272

metering, 272

 

开放流,97 - 98

OpenFlow, 97-98

 

数据包

packets

 

定义, 80

defined, 80

 

标记, 270

marking, 270

 

队列管理,270

queue management, 270

 

录音, 272

recording, 272

 

修复, 272

restoration, 272

 

统计数据,111

statistics, 111

 

桌子

tables

 

动作组,102

action sets, 102

 

条目, 98

entries, 98

 

指令部分,101 - 102

instructions component, 101-102

 

匹配字段,99 - 101

match fields, 99-101

 

嵌套,106 - 107

nesting, 106-107

 

管道,102 - 105

pipeline, 102-105

 

结构, 98

structure, 98

 

交通

traffic

 

分类,269

classification, 269

 

治安,270

policing, 270

 

塑形, 270

shaping, 270

 

VTN,256

VTN, 256

 

WFQ,279

WFQ, 279

 

水槽,488

Flume, 488

 

雾计算

fog computing

 

思科物联网系统,424

Cisco IoT system, 424

 

云计算,比较,405

cloud computing, compared, 405

 

已定义,404

defined, 404

 

雾网络,7

fog networking, 7

 

ForCES(转发和控制元件分离),117

ForCES (Forwarding and Control Element Separation), 117

 

转发

forwarding

 

抽象,148

abstraction, 148

 

等效等级 (FEC),244

equivalence class (FEC), 244

 

数据包, 56 - 57 , 275

packets, 56-57, 275

 

路径, 187

paths, 187

 

PHB,287 - 289

PHB, 287-289

 

规则经理,124

rules manager, 124

 

最短路径,114

shortest path, 114

 

第四代 (4G) 蜂窝网络,24

fourth generation (4G) cellular networks, 24

 

帧标记,236

frame tagging, 236

 

构架

frameworks

 

高级别,190 - 191

high-level, 190-191

 

物联网安全,462 - 464

IoT security, 462-464

 

狂热,150 - 152

Frenetic, 150-152

 

全参考质量模型,323

full-reference quality models, 323

 

功能块接口,200

functional block interface, 200

 

功能(RFID),391 - 392

functionalities (RFID), 391-392

 

功能

functions

 

固定访问,225

fixed access, 225

 

网络,187

network, 187

 

越南国家部队,213

VNF, 213

 

接口,213 - 214

interfaces, 213-214

 

势函数,213

potential functions, 213

 

缩放,216

scaling, 216

 

VNFC 到 VNFC 通信,215 - 216

VNFC to VNFC communication, 215-216

 

G

G

 

电流驱动装置,398

galvanic driving devices, 398

 

网关

gateways

 

物联网,396 - 398

IoT, 396-398

 

节点,206

nodes, 206

 

英镑(基于团体的政策),126

GBP (Group Based Policy), 126

 

通用设备(物联网),396 - 398

general devices (IoT), 396-398

 

GET 消息类型,131

GET message type, 131

 

GIAC(全球信息保障认证)GSEC(安全要点),487

GIAC (Global Information Assurance Certification) GSEC (Security Essentials), 487

 

吉特,477

Git, 477

 

基于玻璃盒参数的 QoE/QoS 映射模型,325 - 326

glass-box parameter-based QoE/QoS mapping models, 325-326

 

全局架构,7 - 8

global architectures, 7-8

 

Google 云计算认证项目,483

Google cloud computing certification programs, 483

 

治理,447

governance, 447

 

灰盒 QoE/QoS 映射模型,326 - 327

gray-box QoE/QoS mapping models, 326-327

 

基于组的策略(英镑),126

Group Based Policy (GBP), 126

 

组桌

group tables

 

行动桶,108

action buckets, 108

 

条目, 107

entries, 107

 

组类型,108 - 109

group types, 108-109

 

开放流, 97 , 107 - 109

OpenFlow, 97, 107-109

 

组,108 - 109

groups, 108-109

 

有保障的服务,276

guaranteed services, 276

 

H

H

 

HA(高可用性)集群,134

HA (high-availability) clusters, 134

 

Hadoop,488

Hadoop, 488

 

硬件虚拟化,178

hardware virtualization, 178

 

数据库,488

Hbase, 488

 

医疗保健物联网服务,376

healthcare IoT services, 376

 

氦气(OpenDaylight),124

Helium (OpenDaylight), 124

 

层次结构, 9

hierarchy, 9

 

访问, 10

access, 10

 

核心, 11

core, 11

 

分布, 10

distribution, 10

 

高层框架,190 - 191

high-level frameworks, 190-191

 

高级SDN架构(ITU-T Y.3300),120 - 121

high-level SDN architecture (ITU-T Y.3300), 120-121

 

高速本地核心网络,16

high-speed local core networks, 16

 

劫持帐户/服务,451

hijacking accounts/services, 451

 

家园

homes

 

以太网,12

Ethernet, 12

 

网络功能虚拟化,224

NFV, 224

 

无线网络连接,20

Wi-Fi, 20

 

以主机为中心的垂直切换基于 QoE 的网络管理,341 - 342

host-centric vertical handover QoE-based network management, 341-342

 

主机追踪器,124

host trackers, 124

 

HP ASE - SDN 应用程序开发人员认证,481

HP ASE - SDN Application Developer certification, 481

 

混合云基础设施,360

hybrid cloud infrastructure, 360

 

液压执行器,380

hydraulic actuators, 380

 

管理程序域, 199 , 208 - 209

hypervisor domain, 199, 208-209

 

管理程序自省,446

hypervisor introspection, 446

 

I

 

IaaS(基础设施即服务),166 , 354

IaaS (Infrastructure as a Service), 166, 354

 

云NaaS,166

CloudNaaS, 166

 

定义, 166 , 354

defined, 166, 354

 

示例,354

examples, 354

 

职责分离,355

separation of responsibilities, 355

 

IAM(身份和访问管理),455

IAM (Identity and access management), 455

 

国际商业机器公司

IBM

 

云计算认证项目,482

cloud computing certification programs, 482

 

研究“Every Day We Create 2.5 Quintillion Bytes of Data”网站,73

study “Every Day We Create 2.5 Quintillion Bytes of Data” website, 73

 

ICMP类型/代码字段(流表匹配字段),100

ICMP type/code fields (flow table match fields), 100

 

ICMPv6类型/代码字段(流表匹配字段),100

ICMPv6 type/code fields (flow table match fields), 100

 

ICN(以信息为中心的网络),168 - 173

ICN (Information-Centric Networking), 168-173

 

识别RFID技术,387

identification RFID technology, 387

 

身份标识

identifiers

 

组,107

group, 107

 

URI,129

URIs, 129

 

身份

identity

 

访问管理(IAM),455

access management (IAM), 455

 

云安全,448

cloud security, 448

 

SecaaS,455

SecaaS, 455

 

IEEE(电气和电子工程师协会),14

IEEE (Institute of Electrical and Electronics Engineers), 14

 

802.1、237 _

802.1, 237

 

802.1Q 标准,237 - 238

802.1Q standard, 237-238

 

802.3、237 _

802.3, 237

 

802.11 标准,21

802.11 standards, 21

 

802、14、237 _ _ _

802, 14, 237

 

计算机协会建立你的职业网站,490

Computer Society Build Your Career website, 490

 

求职网站,490

Job Site website, 490

 

简历实验室网站,490

Resume Lab website, 490

 

标准协会 (IEEE-SA),305

Standards Association (IEEE-SA), 305

 

IETF (互联网工程任务组),87、140 - 141

IETF (Internet Engineering Task Force), 87, 140-141

 

IGP(内部网关协议),59

IGP (interior gateway protocol), 59

 

图像、相机设备、379

image, camera devices, 379

 

IM(即时消息),34

IM (instant messaging), 34

 

实施

implementing

 

网络功能虚拟化,196

NFV, 196

 

SDN 控制器, 84 , 115

SDN controllers, 84, 115

 

隐式拥塞信令,65

implicit congestion signaling, 65

 

事件响应,448

incident response, 448

 

IND(基础设施网络领域), 199 , 209 - 213

IND (infrastructure network domain), 199, 209-213

 

L2 与 L3 虚拟网络,210 - 211

L2 versus L3 virtual networks, 210-211

 

网络功能虚拟化,187

NFV, 187

 

参考点,209

reference points, 209

 

虚拟化,210

virtualization, 210

 

虚拟网络替代方案,211

virtual network alternatives, 211

 

间接组类型,109

indirect group type, 109

 

工业物联网服务,376

industrial IoT services, 376

 

交通缺乏弹性

inelastic traffic

 

定义, 40

defined, 40

 

延误,40

delays, 40

 

互联网要求,42

internet requirements, 42

 

丢包,41

packet loss, 41

 

服务质量要求,42

QoS requirements, 42

 

要求,40

requirements, 40

 

服务等级特征,41

service class characteristics, 41

 

吞吐量,40

throughput, 40

 

惯性装置,378

inertial devices, 378

 

以信息为中心的网络(ICN),168 - 173

Information-Centric Networking (ICN), 168-173

 

信息技术。查看 信息技术

Information Technology. See IT

 

红外设备,397

infrared devices, 397

 

基础设施

infrastructures

 

作为服务。请参见 基础设施即服务

as a Service. See IaaS

 

驻越南,212

based VN, 212

 

大数据,46

big data, 46

 

收敛,31

convergence, 31

 

网络域。参见 新药申请

network domain. See IND

 

网络功能虚拟化,199

NFV, 199

 

计算域,205 - 208

compute domain, 205-208

 

容器部署,203

container deployment, 203

 

域, 199 , 204

domains, 199, 204

 

管理程序域,208 - 209

hypervisor domain, 208-209

 

印度,209 - 213

IND, 209-213

 

节点,206 - 208

nodes, 206-208

 

虚拟网络替代方案,211

virtual network alternatives, 211

 

虚拟化管理器 (VIM),217 - 218

virtualized manager (VIM), 217-218

 

入口端口字段(流表匹配字段),99

ingress port field (flow table match fields), 99

 

入口处理,102 - 104

ingress processing, 102-104

 

检查数据包,184

inspecting packets, 184

 

即时通讯 (IM),34

instant messaging (IM), 34

 

电气和电子工程师协会。参见 IEEE

Institute of Electrical and Electronics Engineers. See IEEE

 

指令组件,102

instructions component, 102

 

指令条目(流表),98

instructions entry (flow tables), 98

 

集成电路,384

integrated circuits, 384

 

集成服务架构。参见 ISA

Integrated Services Architecture. See ISA

 

正直

integrity

 

安全要求,435

security requirement, 435

 

传输层安全协议, 438

TLS, 438

 

SDN 控制器间通信:使用边界网关协议网站,143

Inter-SDN Controller Communication: Using Border Gateway Protocol website, 143

 

交互式 QoE,55

interactive QoE, 55

 

云间网络,50

intercloud networks, 50

 

相互通信的智能对象,374

intercommunicating smart objects, 374

 

利息包,169

Interest packets, 169

 

接口

interfaces

 

云安全,450

cloud security, 450

 

集装箱,199 - 202

container, 199-202

 

功能块,200

functional block, 200

 

SDN控制器

SDN controllers

 

北行, 117 - 119 , 146

northbound, 117-119, 146

 

南行,116 - 117

southbound, 116-117

 

传感器,377

sensors, 377

 

制服, 129

uniform, 129

 

用户,147

user, 147

 

越南国家队,213 - 214

VNF, 213-214

 

内部网关协议 (IGP),59

interior gateway protocol (IGP), 59

 

内部节点,280

interior nodes, 280

 

内部路由器协议 (IRP), 58 , 119

interior router protocols (IRPs), 58, 119

 

国际信息系统安全认证联盟 (ISC)2 认证信息系统安全专家 (CISSP),487

International Information System Security Certification Consortium (ISC)2 Certified Information Systems Security Professional (CISSP), 487

 

国际电信联盟——电信标准化部门。参见 ITU-T

International Telecommunication Union—Telecommunication Standardization Sector. See ITU-T

 

互联网

Internet

 

定义, 39

defined, 39

 

部署代数,29

deployment generations, 29

 

工程任务组 (IETF) ,87、140 - 141

Engineering Task Force (IETF), 87, 140-141

 

交流, 17

exchanges, 17

 

媒体提供商,17

media providers, 17

 

无线,52

wireless, 52

 

物联网。查看 物联网

Internet of Things. See IoT

 

互联网研究工作组 (IRTF),87

Internet Research Task Force (IRTF), 87

 

互联网协会(ISOC),87

Internet Society (ISOC), 87

 

互联网, 39 , 42

internets, 39, 42

 

云内网络,49

intracloud networks, 49

 

入侵管理,456

intrusion management, 456

 

io桥

ioBridge

 

平台, 427

platform, 427

 

实时.io,430

RealTime.io, 430

 

事物说话,428 - 429

ThingSpeak, 428-429

 

网站,427

website, 427

 

输入/输出端口,59

I/O ports, 59

 

物联网(物联网),7

IoT (Internet of Things), 7

 

执行器,380 - 381

actuators, 380-381

 

代理人, 399

agents, 399

 

建筑, 395

architecture, 395

 

福利, 373

benefits, 373

 

思科物联网系统,420

Cisco IoT system, 420

 

应用程序支持平台,426

application enablement platform, 426

 

数据分析,424 - 425

data analytics, 424-425

 

雾计算,424

fog computing, 424

 

管理和自动化,426

management and automation, 426

 

网络连接,423 - 424

network connectivity, 423-424

 

安全,425 - 426

security, 425-426

 

六大支柱,421

six pillars, 421

 

组件, 377 , 389

components, 377, 389

 

定义, 28

defined, 28

 

部署, 409

deploying, 409

 

嵌入式设备,28

embedded devices, 28

 

方程,374

equation, 374

 

相互通信的智能对象,374

intercommunicating smart objects, 374

 

互联网部署演变,29

Internet deployment evolution, 29

 

io桥

ioBridge

 

平台, 427

platform, 427

 

实时.io,430

RealTime.io, 430

 

事物说话,428 - 429

ThingSpeak, 428-429

 

网站,427

website, 427

 

物联网,409

IoTivity, 409

 

基地, 410

base, 410

 

基地,415 - 417

Base, 415-417

 

基础服务,417 - 420

Base services, 417-420

 

协议,411 - 414

CoAP, 411-414

 

受限设备,409

constrained devices, 409

 

Linux 基金会,409

Linux Foundation, 409

 

伊斯兰会议组织,409

OIC, 409

 

无约束设备,410

unconstrained devices, 410

 

ITU-T 参考模型395、400 - 401

ITU-T reference model, 395, 400-401

 

驱动装置,396

actuating devices, 396

 

通信网络,396

communication networks, 396

 

数据采集​​设备,396

data-capturing devices, 396

 

数据载体,396

data carriers, 396

 

设备,396 - 399

devices, 396-399

 

网关, 396

gateway, 396

 

通用设备,396

general devices, 396

 

传感装置,396

sensing devices, 396

 

术语,395 - 396

terminology, 395-396

 

事物, 396

things, 396

 

IWF 参考模型,401 - 403

IWF reference model, 401-403

 

应用程序,407

application, 407

 

协作/流程,407

collaboration/processes, 407

 

连接性,403

connectivity, 403

 

数据抽象,407

data abstraction, 407

 

数据积累,406 - 407

data accumulation, 406-407

 

边缘计算,403 - 404

edge computing, 403-404

 

物理设备/控制器,403

physical devices/controllers, 403

 

摘要,408

summary, 408

 

层数,29 - 30

layers, 29-30

 

微控制器,381

microcontrollers, 381

 

应用处理器,383

application processors, 383

 

芯片, 385

chips, 385

 

专用处理器,383

dedicated processors, 383

 

深度嵌入式系统,386

deeply embedded systems, 386

 

嵌入式系统,381 - 383

embedded systems, 381-383

 

微处理器,383 - 384

microprocessors, 383-384

 

RFID技术,387

RFID technology, 387

 

访问控制,388

access control, 388

 

防伪工具,388

anti-counterfeiting tool, 388

 

应用程序,387 - 388

applications, 387-388

 

功能,391 - 392

functionalities, 391-392

 

工作频率,391

operating frequencies, 391

 

支付/储值系统,387

payment/stored value systems, 387

 

读者,390

readers, 390

 

标签,389 - 390

tags, 389-390

 

跟踪/识别,387

tracking/identification, 387

 

范围,374 - 377

scope, 374-377

 

安全,458 - 459

security, 458-459

 

框架,462 - 464

framework, 462-464

 

修补漏洞,459

patching vulnerabilities, 459

 

要求,459 - 461

requirements, 459-461

 

传感器,377

sensors, 377

 

准确度, 379

accuracy, 379

 

精度,379

precision, 379

 

分辨率,380

resolution, 380

 

类型,377 - 379

types, 377-379

 

服务业

service sectors

 

建筑物,377

buildings, 377

 

消费者和家庭,376

consumer and home, 376

 

能源, 377

energy, 377

 

医疗保健/生命科学,376

healthcare/life science, 376

 

工业,376

industrial, 376

 

IT/网络,375

IT/networks, 375

 

零售,376

retail, 376

 

安全/公共安全,375

security/public safety, 375

 

交通, 376

transportation, 376

 

标签, 375

tags, 375

 

技术开发,373

technology development, 373

 

收发器,386

transceivers, 386

 

世界论坛。参见 国际联合会

World Forum. See IWF

 

伊奥塔斯, 427

iotas, 427

 

物联网,409

IoTivity, 409

 

基地, 410

base, 410

 

基地,415

Base, 415

 

资源、查询,416 - 417

resources, querying, 416-417

 

服务,415 - 420

services, 415-420

 

客户,419

clients, 419

 

协议,411 - 414

CoAP, 411-414

 

格式, 412

formats, 412

 

消息交换示例,414

message exchange example, 414

 

消息方法,413

message method, 413

 

消息,412

messages, 412

 

受限设备,409

constrained devices, 409

 

Linux 基金会,409

Linux Foundation, 409

 

伊斯兰会议组织,409

OIC, 409

 

服务器,419

servers, 419

 

无约束设备,410

unconstrained devices, 410

 

网站,409

website, 409

 

知识产权

IP

 

骨干, 8

backbone, 8

 

启用联络中心,35

enabling contact centers, 35

 

field(流表匹配字段组件),99

field (flow table match fields component), 99

 

流动性, 35

mobility, 35

 

绩效指标工作组。参见 IPPM

Performance Metrics Working Group. See IPPM

 

安全(IPsec),241 - 243

security (IPsec), 241-243

 

面向 IP 的基于参数的 QoE/QoS 映射模型,327 - 329

IP-oriented parameter-based QoE/QoS mapping models, 327-329

 

IPPM(IP 性能指标工作组),293 - 296

IPPM (IP Performance Metrics Working Group), 293-296

 

福利, 293

benefits, 293

 

测量技术,295

measurement techniques, 295

 

指标,列表,293

metrics, listing of, 293

 

需要, 293

need, 293

 

PDV,295

pdv, 295

 

样本指标,295

sample metrics, 295

 

阶段, 294

stages, 294

 

统计指标,295

statistical metrics, 295

 

IPsec,241 - 243

IPsec, 241-243

 

IPv4(流表匹配字段),100

IPv4 (flow table match fields), 100

 

IPv6(流表匹配字段),100 - 101

IPv6 (flow table match fields), 100-101

 

IRP (内部路由器协议)58、119

IRPs (interior router protocols), 58, 119

 

IRTF(互联网研究工作组),87

IRTF (Internet Research Task Force), 87

 

ISA(集成服务架构),273

ISA (Integrated Services Architecture), 273

 

组件,274 - 275

components, 274-275

 

设计,273 - 274

design, 273-274

 

流量, 273

flows, 273

 

服务质量,273

QoS, 273

 

服务,276 - 279

services, 276-279

 

ISACA 认证信息安全经理 (CISM),487

ISACA Certified Information Security Manager (CISM), 487

 

ISC2(国际信息系统安全认证联盟)CISSP(认证信息系统安全专业人员),487

ISC2 (International Information System Security Certification Consortium) CISSP (Certified Information Systems Security Professional), 487

 

ISC2 系统安全认证从业者 (SSCP),487

ISC2 Systems Security Certified Practitioner (SSCP), 487

 

ISG NFV(网络功能虚拟化行业标准组),186

ISG NFV (Network Functions Virtualization Industry Standards Group), 186

 

容器接口,199 - 202

container interface, 199-202

 

NFV 标准,186

NFV standards, 186

 

ISOC(互联网协会),87

ISOC (Internet Society), 87

 

互联网服务供应商

ISP

 

连接, 8

connections, 8

 

核心路由,17

core routing, 17

 

IT(信息技术), 29 , 407

IT (information technology), 29, 407

 

定义, 407

defined, 407

 

物联网服务,375

IoT services, 375

 

专业人士, 467

professionals, 467

 

认证计划,480 - 487

certification programs, 480-487

 

在线资源,489 - 490

online resources, 489-490

 

职责,467 - 469

responsibilities, 467-469

 

SDN/NFV 影响,469 - 470

SDN/NFV impacts, 469-470

 

需求技能,488 - 489

skills in demand, 488-489

 

ITU -T(国际电信联盟——电信标准化部门)88、304

ITU-T (International Telecommunication Union—Telecommunication Standardization Sector), 88, 304

 

云计算参考架构,365 - 371

cloud computing reference architecture, 365-371

 

演员, 365

actors, 365

 

层数,366 - 368

layers, 366-368

 

物联网参考模型( Y.2060)、395、400 - 401

IoT reference model (Y.2060), 395, 400-401

 

驱动装置,396

actuating devices, 396

 

通信网络,396

communication networks, 396

 

数据采集​​设备,396

data-capturing devices, 396

 

数据载体,396

data carriers, 396

 

设备,396 - 399

devices, 396-399

 

网关, 396

gateway, 396

 

通用设备,396

general devices, 396

 

传感装置,396

sensing devices, 396

 

术语,395 - 396

terminology, 395-396

 

事物, 396

things, 396

 

SDN/NFV 标准,88

SDN/NFV standards, 88

 

Y.2060 物联网概述,374

Y.2060 Overview of the Internet of Things, 374

 

Y.2066 安全和隐私,459 - 461

Y.2066 security and privacy, 459-461

 

Y.3300 SDN 高层架构,120 - 121

Y.3300 SDN high-level architecture, 120-121

 

Y.3500

Y.3500

 

云功能类型,356

cloud capabilities types, 356

 

云服务类别,355

cloud service categories, 355

 

新兴云服务类别,357

emerging cloud service categories, 357

 

IWF(物联网世界论坛),401 - 403

IWF (IoT World Forum), 401-403

 

应用层,407

application level, 407

 

协作/流程级别,407

collaboration/processes level, 407

 

连接级别,403

connectivity level, 403

 

数据抽象级别,407

data abstraction level, 407

 

数据积累级别,406 - 407

data accumulation level, 406-407

 

边缘计算级别,403 - 404

edge computing level, 403-404

 

物理设备/控制器级别,403

physical devices/controllers level, 403

 

摘要,408

summary, 408

 

J-K

J–K

 

JCA-SDN(软件定义网络联合协调活动),88

JCA-SDN (Joint Coordination Activity on Software-Defined Networking), 88

 

瞻博网络网络认证,485

Juniper networking certifications, 485

 

Kemp Technologies 博客“SDN 来自火星,NFV 来自金星”网站,229

Kemp Technologies blog “SDN is from Mars, NFV is from Venus” website, 229

 

L

L

 

L2 交换机,127

L2Switch, 127

 

L2VPN(第 2 层 VPN),244 - 246

L2VPN (Layer 2 VPN), 244-246

 

L2/L3 虚拟网络,210 - 211

L2/L3 virtual networks, 210-211

 

L3VPN(第 3 层 VPN),244 - 246

L3VPN (Layer 3 VPN), 244-246

 

标签交换路径 (LSP),244

label-switched paths (LSPs), 244

 

标签交换路由器 (LSR),244

label-switching routers (LSRs), 244

 

局域网

LANs

 

配置,231

configuration, 231

 

企业, 17

enterprise, 17

 

分区, 233

partitioned, 233

 

开关,231

switches, 231

 

拉维尔,489

Laravel, 489

 

潜伏。查看 延误

latency. See delays

 

三层交换机,10

Layer 3 switches, 10

 

分层系统约束(REST),130

layered system constraint (REST), 130

 

图层对象,338

Layer object, 338

 

层数

layers

 

抽象,146 - 152

abstraction, 146-152

 

控制, 121

control, 121

 

物联网,29 - 30

IoT, 29-30

 

ITU-T 云计算参考架构,366 - 368

ITU-T cloud computing reference architecture, 366-368

 

OpenDaylight 架构,122

OpenDaylight architecture, 122

 

体验质量/服务质量,308 - 310

QoE/QoS, 308-310

 

资源,121

resource, 121

 

传统交换机,238

legacy switches, 238

 

LE(低于尽力而为)流量,268

LE (lower than best effort) traffic, 268

 

生命科学物联网服务,376

life science IoT services, 376

 

链接发现,120

link discovery, 120

 

Linux 基金会,409

Linux Foundation, 409

 

LISP(位置/标识符分离协议),126 - 127

LISP (Location/Identifier Separation Protocol), 126-127

 

逻辑端口,96

logical ports, 96

 

逻辑资源,247

logical resources, 247

 

逻辑交换机(OpenFlow),97

logical switches (OpenFlow), 97

 

流表。参见 流程表格

flow table. See flows, tables

 

小组表,107 - 109

group tables, 107-109

 

低于尽力而为 (LE) 流量,268

lower than best effort (LE) traffic, 268

 

LSP(标签交换路径),244

LSPs (label-switched paths), 244

 

LSR(标签交换路由器),244

LSRs (label-switching routers), 244

 

中号

M

 

MAC(媒体访问控制)帧,231

MACs (media access control) frames, 231

 

磁性装置,379

magnetic devices, 379

 

恶意内部威胁,451

malicious insider threats, 451

 

管理

management

 

代理人, 275

agents, 275

 

自动化组件(思科物联网系统),426

automation component (Cisco IoT system), 426

 

云服务,364

cloud service, 364

 

装置,114

device, 114

 

转发规则,124

forwarding rules, 124

 

NFV 管理和编排。 马诺

NFV management and orchestration. See MANO

 

通知,114

notification, 114

 

QoS 架构,272

QoS architecture, 272

 

服务器,46

servers, 46

 

统计数据

statistics

 

开放日光,124

OpenDaylight, 124

 

SDN 控制器,114

SDN controllers, 114

 

转变

switch

 

开放日光,124

OpenDaylight, 124

 

检索统计数据,131

retrieving statistics, 131

 

更新统计数据,132

updating statistics, 132

 

拓扑结构

topology

 

开放日光,124

OpenDaylight, 124

 

SDN控制器114、120

SDN controllers, 114, 120

 

虚拟化基础设施 (VIM),217 - 218

virtualized infrastructure (VIM), 217-218

 

越南国家FM,218

VNFM, 218

 

MANO(NFV 管理和编排),217

MANO (NFV management and orchestration), 217

 

建筑, 217

architecture, 217

 

元素管理,220

element management, 220

 

NFVO,219

NFVO, 219

 

OSS/BSS,220

OSS/BSS, 220

 

存储库,219

repositories, 219

 

维姆,217 - 218

VIM, 217-218

 

越南国家FM,218

VNFM, 218

 

MAN(城域网), 14 , 17

MANs (metropolitan-area networks), 14, 17

 

映射模型(QoE/QoS),323

mapping models (QoE/QoS), 323

 

基于黑盒媒体,323 - 325

black-box media-based, 323-325

 

选择, 327

choosing, 327

 

基于玻璃盒参数,325 - 326

glass-box parameter-based, 325-326

 

灰盒,326 - 327

gray-box, 326-327

 

面向IP、基于参数,327 - 329

IP-oriented parameter-based, 327-329

 

映射减少,488

MapReduce, 488

 

标记

marking

 

区分服务,281

DiffServ, 281

 

包,270

packets, 270

 

交通, 285

traffic, 285

 

QoE 大师代理,339

master QoE agents, 339

 

匹配字段条目(流表),98 - 101

match fields entry (flow tables), 98-101

 

平均意见得分 (MOS), 316

mean opinion score (MOS), 316

 

测量

measurement

 

应用程序, 157

applications, 157

 

体验质量,312

QoE, 312

 

最终用户设备分析,315

end-user device analytics, 315

 

MOS(平均意见得分),316 - 317

MOS (mean opinion score), 316-317

 

客观评估,314 - 315

objective assessment, 314-315

 

主观评估,312 - 314

subjective assessment, 312-314

 

机械执行器,381

mechanical actuators, 381

 

媒体

media

 

访问控制帧(MAC),231

access control frames (MACs), 231

 

设备, 379

devices, 379

 

互联网提供商,17

Internet providers, 17

 

视频点播,17

video on demand, 17

 

成员资格(VLAN)

membership (VLANs)

 

沟通, 236

communicating, 236

 

定义, 235

defining, 235

 

消息

messages

 

协议,412 - 414

CoAP, 412-414

 

获取,131

GET, 131

 

即时, 34

instant, 34

 

开放流,109 - 111

OpenFlow, 109-111

 

邮政,132

POST, 132

 

SDNi,141

SDNi, 141

 

统一, 34

unified, 34

 

元数据字段(流表匹配字段),100

metadata field (flow table match fields), 100

 

meters

 

区分服务,281

DiffServ, 281

 

OpenFlow QoS 支持,297 - 298

OpenFlow QoS support, 297-298

 

桌子, 97

tables, 97

 

交通, 272 , 285

traffic, 272, 285

 

指标

metrics

 

IP 性能,293

IP performance, 293

 

福利, 293

benefits, 293

 

列表, 293

listing of, 293

 

测量技术,295

measurement techniques, 295

 

需要, 293

need, 293

 

PDV,295

pdv, 295

 

样本指标,295

sample metrics, 295

 

阶段, 294

stages, 294

 

统计指标,295

statistical metrics, 295

 

体验质量

QoE

 

映射模型,323 - 329

mapping models, 323-329

 

网络/服务管理,341 - 344

networks/services management, 341-344

 

服务监控,335 - 340

service monitoring, 335-340

 

面向服务、可操作,331

service-oriented actionable, 331

 

面向系统的可操作性,330

system-oriented actionable, 330

 

服务质量

QoS

 

映射模型,323 - 329

mapping models, 323-329

 

服务监控,334 - 335

service monitoring, 334-335

 

城域以太网,14

metro Ethernet, 14

 

城域网 (MAN),14

metropolitan-area networks (MANs), 14

 

微控制器,381

microcontrollers, 381

 

应用处理器,383

application processors, 383

 

芯片, 385

chips, 385

 

专用处理器,383

dedicated processors, 383

 

深度嵌入式系统,386

deeply embedded systems, 386

 

嵌入式系统,381 - 383

embedded systems, 381-383

 

微处理器,383 - 384

microprocessors, 383-384

 

微处理器,383 - 384

microprocessors, 383-384

 

微软

Microsoft

 

云计算认证项目,482

cloud computing certification programs, 482

 

系统工程师认证,486

systems engineer certifications, 486

 

移动蜂窝网络,223

mobile cellular networks, 223

 

移动流量,51 - 52

mobile traffic, 51-52

 

流动性

mobility

 

软件定义网络

SDN

 

应用程序, 168

applications, 168

 

驱动因素,69

driving factor, 69

 

加州大学建筑学,35

UC architecture, 35

 

楷模

models

 

云端部署

cloud deployment

 

社区,360

community, 360

 

混合动力,360

hybrid, 360

 

私人,359

private, 359

 

公共, 359

public, 359

 

QoE/QoS 映射,323

QoE/QoS mapping, 323

 

基于黑盒媒体,323 - 325

black-box media-based, 323-325

 

选择, 327

choosing, 327

 

基于玻璃盒参数,325 - 326

glass-box parameter-based, 325-326

 

灰盒,326 - 327

gray-box, 326-327

 

面向IP、基于参数,327 - 329

IP-oriented parameter-based, 327-329

 

现代网络

modern networking

 

元素, 71

elements, 71

 

要求,80

requirements, 80

 

模块

modules

 

开放日光,125

OpenDaylight, 125

 

控制器,126

controller, 126

 

网络应用程序、编排和服务,127

network applications, orchestration, and services, 127

 

南向接口/协议插件,125个

southbound interfaces/protocol plug-ins, 125

 

PolicyCop 申请,155

PolicyCop application, 155

 

监控

monitoring

 

应用程序, 157

applications, 157

 

类别,332

categories, 332

 

点播,333

on-demand, 333

 

探针,333

probes, 333

 

体验质量,335 - 340

QoE, 335-340

 

代理对象,338

agent objects, 338

 

API 层,337

API layers, 337

 

配置,335

configurations, 335

 

服务质量,334 - 335

QoS, 334-335

 

虚拟机 (VMM), 179 - 180 , 183

virtual machines (VMMs), 179-180, 183

 

MOS(平均意见得分),316 - 317

MOS (mean opinion score), 316-317

 

主板, 383

motherboards, 383

 

MPLS(多协议标签交换),9

MPLS (Multiprotocol Label Switching), 9

 

标签值/流量类别/BoS字段(流表匹配字段),100

label value/traffic class/BoS fields (flow table match fields), 100

 

LSR,244

LSRs, 244

 

VPN,243 - 247

VPNs, 243-247

 

第2层,245 - 246

Layer 2, 245-246

 

第3层, 246

Layer 3, 246

 

多核处理器,384

multicore processors, 384

 

多媒体,301

multimedia, 301

 

N

 

NaaS(网络即服务),356

NaaS (Network as a Service), 356

 

国家标准与技术研究所。参见 美国国家标准技术研究所

National Institute of Standards and Technology. See NIST

 

邻居, 136

neighbors, 136

 

筑巢

nesting

 

流表,106 - 107

flow tables, 106-107

 

VLAN,239

VLANs, 239

 

网络会议,125

NETCONF, 125

 

以网络为中心的垂直切换基于 QoE 的网络管理,342 - 344

network-centric vertical handover QoE-based network management, 342-344

 

网络层QoE/QoS视频服务映射模型,328

network layer QoE/QoS video services mapping models, 328

 

网络

networks

 

容量, 48

capacity, 48

 

认证项目,484

certification programs, 484

 

云, 350

cloud, 350

 

连接性,423 - 424

connectivity, 423-424

 

函数(NF),187

functions (NFs), 187

 

功能虚拟化行业标准组。请参阅 ISG NFV

Functions Virtualization Industry Standards Group. See ISG NFV

 

功能虚拟化基础设施。参见 NFVI

Functions virtualization infrastructure. See NFVI

 

功能虚拟化。参见 网络功能虚拟化

Functions virtualization. See NFV

 

接口卡 (NIC),205

interface cards (NICs), 205

 

节点,207

nodes, 207

 

操作系统(NOS),114

operating system (NOS), 114

 

开放源码软件,50

OSS, 50

 

存在点 (N-PoP),187

point of presence (N-PoP), 187

 

供应商, 6

providers, 6

 

基于 QoE 的管理

QoE-based management

 

以主机为中心的垂直切换,341 - 342

host-centric vertical handover, 341-342

 

以网络为中心的垂直切换,342 - 344

network-centric vertical handover, 342-344

 

VoIP 呼叫,341

VoIP calls, 341

 

服务

services

 

目录,219

catalog, 219

 

网络功能虚拟化,187

NFV, 187

 

虚拟化。参见 NV

virtualization. See NV

 

NF(网络功能),187

NFs (network functions), 187

 

NFV(网络功能虚拟化), 70 , 184

NFV (network functions virtualization), 70, 184

 

背景,177 - 178

background, 177-178

 

福利,191 - 192

benefits, 191-192

 

云计算,368 - 371

cloud computing, 368-371

 

计算域,187

compute domains, 187

 

配置示例,188 - 189

configuration example, 188-189

 

容器接口,199 - 202

container interface, 199-202

 

现货,184

COTS, 184

 

数据包检查,184

data packet inspection, 184

 

定义, 70 , 187

defined, 70, 187

 

部署,443

deployment, 443

 

转发路径,187

forwarding paths, 187

 

函数, 187

functions, 187

 

高层框架,190 - 191

high-level framework, 190-191

 

基础设施,199

infrastructure, 199

 

计算域,205 - 208

compute domain, 205-208

 

容器部署,203

container deployment, 203

 

域, 187 , 199 , 204

domains, 187, 199, 204

 

管理程序域,208 - 209

hypervisor domain, 208-209

 

印度,209 - 213

IND, 209-213

 

节点,206 - 208

nodes, 206-208

 

虚拟网络替代方案,211

virtual network alternatives, 211

 

实例,220

instances, 220

 

IT/网络职位影响,469 - 470

IT/network job position impact, 469-470

 

马诺,217

MANO, 217

 

建筑, 217

architecture, 217

 

元素管理,220

element management, 220

 

NFVO,219

NFVO, 219

 

OSS/BSS,220

OSS/BSS, 220

 

存储库,219

repositories, 219

 

维姆,217 - 218

VIM, 217-218

 

越南国家FM,218

VNFM, 218

 

现代网络架构,72

modern networking schema, 72

 

NFVI,187

NFVI, 187

 

NFVI 节点,187

NFVI-Node, 187

 

NFVI-PoP,187

NFVI-PoP, 187

 

N-PoP,187

N-PoP, 187

 

协调者(NFVO),219

orchestrator (NFVO), 219

 

PNF,187

PNF, 187

 

原则,189

principles, 189

 

参考架构,193 - 194

reference architecture, 193-194

 

实施,196

implementation, 196

 

管理/编排,194

management/orchestration, 194

 

参考点,195

reference points, 195

 

要求,192 - 193

requirements, 192-193

 

服务, 187

services, 187

 

SDI,启用,258

SDI, enabling, 258

 

软件定义网络

SDN

 

关系,225 - 228

relationship, 225-228

 

相似之处, 70

similarities, 70

 

安全,441

security, 441

 

攻击面,441 - 444

attack surfaces, 441-444

 

ETSI 安全视角,444 - 446

ETSI security perspective, 444-446

 

技术, 446

techniques, 446

 

标准, 85 - 87 , 186

standards, 85-87, 186

 

行业联盟,89

industry consortiums, 89

 

开放发展举措,90

open development initiatives, 90

 

SDO,87 - 89

SDOs, 87-89

 

用例,221

use cases, 221

 

建筑,222 - 223

architectural, 222-223

 

面向服务,223 - 225

service-oriented, 223-225

 

虚拟网络, 187 , 210

virtual networks, 187, 210

 

愿景,185

vision, 185

 

越南国家队, 187 , 213

VNF, 187, 213

 

前锋,187

FG, 187

 

接口,213 - 214

interfaces, 213-214

 

势函数,213

potential functions, 213

 

缩放,216

scaling, 216

 

套,187

sets, 187

 

VNFC 到 VNFC 通信,215 - 216

VNFC to VNFC communication, 215-216

 

NFVI(网络功能虚拟化基础设施), 187 , 199

NFVI (network functions virtualization infrastructure), 187, 199

 

容器部署,203

container deployment, 203

 

域,199

domains, 199

 

计算,205 - 208

compute, 205-208

 

管理程序,208 - 209

hypervisor, 208-209

 

印度,209 - 213

IND, 209-213

 

逻辑结构,204

logical structure, 204

 

节点, 187 , 206 - 208

nodes, 187, 206-208

 

流行音乐, 187 , 207

PoP, 187, 207

 

资源, 220

resources, 220

 

虚拟网络替代方案,211

virtual network alternatives, 211

 

NFVIaaS(NFVI 即服务),222

NFVIaaS (NFVI as a Service), 222

 

NFVO(NFV 协调器),219

NFVO (NFV orchestrator), 219

 

NIC(网络接口卡),205

NICs (network interface cards), 205

 

NIST(美国国家标准技术研究院),云计算,26

NIST (National Institute of Standards and Technology), cloud computing, 26

 

特征, 26

characteristics, 26

 

参考架构,361 - 365

reference architecture, 361-365

 

节点

nodes

 

区分服务,280

DiffServ, 280

 

NFVI, 187 , 206 - 208

NFVI, 187, 206-208

 

无参考质量模型,324

no-reference quality models, 324

 

北向接口, 117 - 119 , 146

northbound interfaces, 117-119, 146

 

NOS(网络操作系统),114

NOS (network operating system), 114

 

通知管理114、419

notification manager, 114, 419

 

N-PoP(网络接入点),187

N-PoP (network point of presence), 187

 

NV(网络虚拟化)

NV (network virtualization)

 

敏捷性, 253

agility, 253

 

建筑,250 - 252

architecture, 250-252

 

福利, 252

benefits, 252

 

节省资本成本,253

capital cost savings, 253

 

定义, 247

defined, 247

 

设备整合,253

equipment consolidation, 253

 

例如,248 - 249

example, 248-249

 

灵活性,253

flexibility, 253

 

职能经理,218

function manager, 218

 

基于基础设施,212

infrastructure-based, 212

 

L2 与L3,210 - 211

L2 versus L3, 210-211

 

抽象层次,248

levels of abstraction, 248

 

逻辑资源,247

logical resources, 247

 

网络功能虚拟化,187

NFV, 187

 

NFVI 替代方案,211

NFVI alternatives, 211

 

节省运营成本,253

operational cost savings, 253

 

物质资源,247

physical resources, 247

 

快速服务提供,253

rapid service provisioning, 253

 

可扩展性,253

scalability, 253

 

虚拟覆盖,212

virtual overlay, 212

 

虚拟资源,247

virtual resources, 247

 

O

 

客观评估(QoE),314 - 315

objective assessment (QoE), 314-315

 

ODCA(开放数据中心联盟),80 , 89

ODCA (Open Data Center Alliance), 80, 89

 

办公室以太网,12

office Ethernet, 12

 

路径外缓存,170

off-path caching, 170

 

OIC(开放互连联盟),409

OIC (Open Interconnect Consortium), 409

 

昂库伊,489

OnCue, 489

 

按需监控,333

on-demand monitoring, 333

 

单方面质量模型,324

one-sided quality models, 324

 

单向延迟度量,294

one-way delay metric, 294

 

单向损失度量,294

one-way loss metric, 294

 

单向损失模式度量,294

one-way loss pattern metric, 294

 

ONF(开放网络基金会),79

ONF (Open Networking Foundation), 79

 

认证 SDN 助理认证,481

Certified SDN Associate certification, 481

 

认证SDN工程师认证,481

Certified SDN Engineer certification, 481

 

定义, 89

defined, 89

 

传统网络架构的局限性,79 - 80

traditional network architecture limitations, 79-80

 

奥尼克斯,115

Onix, 115

 

ONOS(开放网络操作系统),115

ONOS (Open Network Operating System), 115

 

路径上缓存,170

on-path caching, 170

 

开放数据中心联盟 (ODCA), 80 , 89

Open Data Center Alliance (ODCA), 80, 89

 

开放发展举措,90

open development initiatives, 90

 

开放互连联盟 (OIC),409

Open Interconnect Consortium (OIC), 409

 

开放网络基金会。参见 ONF

Open Networking Foundation. See ONF

 

开放网络操作系统(ONOS),115

Open Network Operating System (ONOS), 115

 

开放平台,90

Open Platform, 90

 

NFV 开放平台 (OPNFV),196

Open Platform for NFV (OPNFV), 196

 

开放服务网关计划 (OSGi),123

Open Service Gateway Initiative (OSGi), 123

 

开放标准,85 - 87

open standards, 85-87

 

行业联盟,89

industry consortiums, 89

 

开放发展举措,90

open development initiatives, 90

 

SDO,87 - 89

SDOs, 87-89

 

Open vSwitch 数据库管理协议 (OVSDB),116

Open vSwitch Database Management Protocol (OVSDB), 116

 

OpenCrowd 示例 SaaS 服务调查,352 - 353

OpenCrowd example SaaS services survey, 352-353

 

开放日光, 90 , 115 , 122

OpenDaylight, 90, 115, 122

 

建筑, 122

architecture, 122

 

基本网络服务功能,124

base network service functions, 124

 

控制平面/应用平面功能,123

control plane/application plane functionality, 123

 

灵活性,123

flexibility, 123

 

氦气,124

Helium, 124

 

层数,122

layers, 122

 

模块,125 - 127

modules, 125-127

 

萨尔,123

SAL, 123

 

Defense4所有 DDoS 应用程序,157 - 159 , 162

Defense4All DDoS application, 157-159, 162

 

建筑,160 - 162

architecture, 160-162

 

上下文,158

context, 158

 

检测到的攻击,缓解,159

detected attacks, mitigating, 159

 

保护技术,158

protection techniques, 158

 

SDNI, 141 - 142

SDNi, 141-142

 

越南电视台,253 - 257

VTN, 253-257

 

建筑, 257

architecture, 257

 

协调员,254

Coordinator, 254

 

元素, 254

elements, 254

 

流量,256

flows, 256

 

经理, 254

Manager, 254

 

测绘, 255

mapping, 255

 

开放流,89

OpenFlow, 89

 

频道, 96

channels, 96

 

定义, 95

defined, 95

 

封装数据包,111

encapsulated packets, 111

 

基于事件的消息,111

event-based messages, 111

 

流量, 98 , 111

flow, 98, 111

 

流表

flow tables

 

行动,101

actions, 101

 

动作组,102

action sets, 102

 

条目, 98

entries, 98

 

指令组件,102

instructions component, 102

 

匹配字段,99 - 101

match fields, 99-101

 

嵌套,106 - 107

nesting, 106-107

 

管道,102 - 105

pipeline, 102-105

 

结构, 98

structure, 98

 

小组表,107 - 109

group tables, 107-109

 

行动桶,108

action buckets, 108

 

条目, 107

entries, 107

 

组类型,108 - 109

group types, 108-109

 

消息,109 - 111

messages, 109-111

 

端口, 96

ports, 96

 

服务质量,296 - 298

QoS, 296-298

 

开关,96 - 97

switches, 96-97

 

VLAN 支持,240

VLAN support, 240

 

OpenStack, 90 , 126 - 127

OpenStack, 90, 126-127

 

工作频率(RFID),391

operating frequencies (RFID), 391

 

运营

operations

 

节省成本,253

cost savings, 253

 

支出(运营支出),191

expenditure (OpEx), 191

 

支持系统(OSS),50

support system (OSS), 50

 

技术 (OT), 29 , 407

technology (OT), 29, 407

 

OpEx(运营支出),191

OpEx (operational expenditure), 191

 

OPNFV(NFV 开放平台),196

OPNFV (Open Platform for NFV), 196

 

光学设备,379 - 398

optical devices, 379-398

 

OSGi(开放服务网关计划),123

OSGi (Open Service Gateway Initiative), 123

 

OSS(运营支持系统),50

OSS (operations support system), 50

 

OSS/BSS(NFV MANO),220

OSS/BSS (NFV MANO), 220

 

OT(运营技术), 29 , 407

OT (operational technology), 29, 407

 

OVSDB(Open vSwitch 数据库管理协议), 116 , 125 - 127

OVSDB (Open vSwitch Database Management Protocol), 116, 125-127

 

P

 

PaaS(平台即服务)353、488

PaaS (Platform as a Service), 353, 488

 

PAA(政策适应行动),156

PAAs (Policy Adaptation Actions), 156

 

分组电缆多媒体,125

Packet Cable MultiMedia, 125

 

分组交换网络(PSN),244

packet-switched networks (PSNs), 244

 

数据包

packets

 

窒息,65

choke, 65

 

内容,169

Content, 169

 

定义, 79

defined, 79

 

延迟, 285

delaying, 285

 

延迟变化 (pdv), 294 - 295

delay variation (pdv), 294-295

 

丢弃, 273

discarding, 273

 

下降, 285

dropping, 285

 

封装,111

encapsulated, 111

 

面孔, 170

faces, 170

 

流量, 80 , 97

flows, 80, 97

 

转发,56 - 57

forwarding, 56-57

 

ISA 路由器实现,275

ISA router implementation, 275

 

SDN,83

SDN, 83

 

检查, 184

inspection, 184

 

兴趣,169

Interest, 169

 

损失, 41

loss, 41

 

标记, 270

marking, 270

 

队列管理,270

queue management, 270

 

实时传输,44

real-time transmission, 44

 

调度,275

scheduling, 275

 

切换,79

switching, 79

 

可变长度,44

variable-length, 44

 

划分

partitioning

 

局域网,233

LANs, 233

 

虚拟,212

virtual, 212

 

帕斯卡,489

Pascal, 489

 

被动测量技术,295

passive measurement techniques, 295

 

修补漏洞(物联网),459

patching vulnerabilities (IoT), 459

 

支付RFID技术,387

payment RFID technology, 387

 

PCEP(路径计算元件通信协议),126

PCEP (Path Computation Element Communication Protocol), 126

 

PCMM(分组电缆多媒体),125

PCMM (Packet Cable MultiMedia), 125

 

pdv(数据包延迟变化),294 - 295

pdv (packet delay variation), 294-295

 

凝视,11

peering, 11

 

感知,306

perception, 306

 

感知 QoE,54

perceptual QoE, 54

 

对数据包指令执行操作,102

perform action on packet instructions, 102

 

表现

performance

 

云计算,50

cloud computing, 50

 

拥塞

congestion

 

理想,61 - 63

ideal, 61-63

 

实用,63 - 64

practical, 63-64

 

IP 性能指标,293 - 296

IP performance metrics, 293-296

 

福利, 293

benefits, 293

 

列表, 293

listing of, 293

 

测量技术,295

measurement techniques, 295

 

需要, 293

need, 293

 

PDV,295

pdv, 295

 

样本指标,295

sample metrics, 295

 

阶段, 294

stages, 294

 

统计指标,295

statistical metrics, 295

 

体验质量

QoE

 

类别, 54

categories, 54

 

挑战, 55

challenges, 55

 

定义, 54

defined, 54

 

QoS,比较,54

QoS, compared, 54

 

SLA,281

SLAs, 281

 

持久数据对象,339

Persistent-Data object, 339

 

个人技术,29

personal technology, 29

 

PfMP(投资组合管理专业人士),486

PfMP (Portfolio Management Professional), 486

 

PfR(思科性能路由),272

PfR (Cisco Performance Routing), 272

 

PgMP(项目管理专业人员),486

PgMP (Program Management Professional), 486

 

PHB(每跳行为),286

PHB (per-hop behavior), 286

 

放心转发,288 - 289

assured forwarding, 288-289

 

类选择器,289 - 291

class selector, 289-291

 

默认转发,287

default forwarding, 287

 

区分服务,281

DiffServ, 281

 

加急转发,287

expedited forwarding, 287

 

物理设备/控制器级别(IWF IoT 参考模型),403

physical devices/controllers level (IWF IoT reference model), 403

 

物理网络功能(PNF),187

physical network function (PNF), 187

 

物理端口字段(流表匹配字段),100

physical port field (flow table match fields), 100

 

物理端口,96

physical ports, 96

 

物质资源,247

physical resources, 247

 

猪,488

Pig, 488

 

管道(流表),102 - 105

pipelines (flow tables), 102-105

 

出口处理,105

egress processing, 105

 

入口处理,104

ingress processing, 104

 

处理,102 - 103

processing, 102-103

 

平台即服务 (PaaS), 353 , 488

Platform as a Service (PaaS), 353, 488

 

平台(ioBridge),427

platforms (ioBridge), 427

 

实时.io,430

RealTime.io, 430

 

事物说话,428 - 429

ThingSpeak, 428-429

 

PLC(电力线载波),12

PLC (powerline carrier), 12

 

插件2OC,126 - 127

Plugin2OC, 126-127

 

PMI-ACP(PMI 敏捷认证从业者),485

PMI-ACP (PMI Agile Certified Practitioner), 485

 

PMI-PBA(PMI 商业分析专业人士),486

PMI-PBA (PMI Professional in Business Analysis), 486

 

PMP(项目管理专业人士),486

PMP (Project Management Professional), 486

 

气动执行器,381

pneumatic actuators, 381

 

PNF(物理网络功能),187

PNF (physical network function), 187

 

PoE(以太网供电),12

PoE (Power over Ethernet), 12

 

POF(协议不经意转发),117

POF (Protocol Oblivious Forwarding), 117

 

存在点 (PoP), 17 , 187

points of presence (PoPs), 17, 187

 

治安交通,270

policing traffic, 270

 

政策适应行动(PAA),156

Policy Adaption Actions (PAAs), 156

 

政策警察,153 - 156

PolicyCop, 153-156

 

建筑, 154

architecture, 154

 

控制规则,155

control rules, 155

 

功能, 154

features, 154

 

模块,155

modules, 155

 

PAA,156

PAAs, 156

 

工作流程,156

workflow, 156

 

PoP(存在点), 17 , 187

PoPs (points of presence), 17, 187

 

投资组合管理专业人员(PfMP),486

Portfolio Management Professional (PfMP), 486

 

端口, 96 , 100

ports, 96, 100

 

位置测量装置,378

position measuring devices, 378

 

POST 消息类型,132

POST message type, 132

 

以太网供电 (PoE),12

Power over Ethernet (PoE), 12

 

电力工作组,16

power workgroups, 16

 

电力线载波 (PLC),12

powerline carrier (PLC), 12

 

痘痘,115

POX, 115

 

PQ(优先级排队),278

PQ (priority queuing), 278

 

压力/力传感器,378

pressure/force sensors, 378

 

印刷电路板,383

printed circuit boards, 383

 

优先级条目(流表),98

priority entry (flow tables), 98

 

隐私

privacy

 

cloud

 

基础设施,359

infrastructure, 359

 

透视图, 369

perspective, 369

 

SDN 控制器,134

SDN controllers, 134

 

探针,333

probes, 333

 

加工

processing

 

大数据,48

big data, 48

 

流表管道,102 - 103

flow table pipelines, 102-103

 

出口,105

egress, 105

 

入口,104

ingress, 104

 

处理器

processors

 

应用程序,383

application, 383

 

专注, 383

dedicated, 383

 

微型,383 - 384

micro, 383-384

 

多核,384

multicore, 384

 

PROD(生产),471

PROD (production), 471

 

专业人士

professionals

 

认证计划,480 - 487

certification programs, 480-487

 

云计算,482 - 483

cloud computing, 482-483

 

IT 安全,487

IT security, 487

 

网络,484

networking, 484

 

项目管理,485

project management, 485

 

SDN,481

SDN, 481

 

系统工程师,486

systems engineer, 486

 

虚拟化,481 - 483

virtualization, 481-483

 

新兴角色,467

emerging roles, 467

 

职责,467 - 469

responsibilities, 467-469

 

SDN/NFV 影响,469 - 470

SDN/NFV impacts, 469-470

 

在线资源,489 - 490

online resources, 489-490

 

需求技能,488 - 489

skills in demand, 488-489

 

项目管理专业人员(PgMP),486

Program Management Professional (PgMP), 486

 

可编程性(DevOps),477

programmability (DevOps), 477

 

项目管理,485

project management, 485

 

项目管理专业人员(PMP),486

Project Management Professional (PMP), 486

 

保护。另请参阅安全性

protection. See also security

 

云数据,452 - 453

cloud data, 452-453

 

DDoS 攻击, 157 - 159 , 162

DDoS attacks, 157-159, 162

 

协议

protocols

 

边界网关协议

BGP

 

定义, 136

defined, 136

 

函数, 136

functions, 136

 

SDN 域之间的路由,138

routing between SDN domains, 138

 

SDN QoS 管理,138 - 140

SDN QoS management, 138-140

 

协议,411 - 414

CoAP, 411-414

 

格式, 412

formats, 412

 

消息交换示例,414

message exchange example, 414

 

消息方法,413

message method, 413

 

消息,412

messages, 412

 

埃及镑, 59

EGP, 59

 

企业资源规划,136

ERP, 136

 

总警长,59

IGP, 59

 

知识产权。查看 IP

IP. See IP

 

LISP,126

LISP, 126

 

多协议标签交换,9

MPLS, 9

 

邻居收购,/可达性136

neighbor acquisitions,/reachability 136

 

网络可达性,137

network reachability, 137

 

不经意转发 (POF),117

Oblivious Forwarding (POF), 117

 

开放流。参见 开放流

OpenFlow. See OpenFlow

 

PCEP,126

PCEP, 126

 

插件管理器,417

Plugin Manager, 417

 

预订, 275

reservation, 275

 

路由,57

routing, 57

 

ERP,59

ERPs, 59

 

IRP,58

IRPs, 58

 

ISA,275

ISA, 275

 

SDN 数据平面,95

SDN data plane, 95

 

简单网络管理协议,126

SNMP, 126

 

传输控制协议

TCP

 

拥塞控制,267

congestion control, 267

 

flags字段(流表匹配字段),101

flags field (flow table match fields), 101

 

源/目的端口(流表匹配字段),100

source/destination ports (flow table match fields), 100

 

TCP/IP,79

TCP/IP, 79

 

提供者

providers

 

应用程序,6 - 7

application, 6-7

 

架构组件(云),364

architectural components (cloud), 364

 

网桥流量ISID字段(流表匹配字段),100

bridge traffic ISID field (flow table match fields), 100

 

内容, 7

content, 7

 

网络媒体,17

Internet media, 17

 

网络, 6

network, 6

 

接近运动传感器,378

proximity motion sensors, 378

 

PSN(分组交换网络),244

PSN (packet-switched networks), 244

 

心理 QoE,54

psychological QoE, 54

 

民众

public

 

云基础设施,359

cloud infrastructure, 359

 

安全物联网服务,375

safety IoT services, 375

 

无线网络连接,20

Wi-Fi, 20

 

Q

 

QoE (体验质量)54,266

QoE (Quality of Experience), 54, 266

 

可采取行动,330 - 331

actionable, 330-331

 

代理人, 337

agents, 337

 

API,337

APIs, 337

 

大师, 339

master, 339

 

物体, 338

objects, 338

 

奴隶, 339

slave, 339

 

应用程序,317

applications, 317

 

类别, 54

categories, 54

 

挑战, 55

challenges, 55

 

定义,306 - 308

definitions, 306-308

 

影响,311 - 312

influences, 311-312

 

分层模型,308 - 310

layered model, 308-310

 

映射模型,323

mapping models, 323

 

基于黑盒媒体,323 - 325

black-box media-based, 323-325

 

选择, 327

choosing, 327

 

基于玻璃盒参数,325 - 326

glass-box parameter-based, 325-326

 

灰盒,326 - 327

gray-box, 326-327

 

面向IP、基于参数,327 - 329

IP-oriented parameter-based, 327-329

 

测量,312

measurement, 312

 

最终用户设备分析,315

end-user device analytics, 315

 

MOS(平均意见得分),316 - 317

MOS (mean opinion score), 316-317

 

客观评估,314 - 315

objective assessment, 314-315

 

主观评估,312 - 314

subjective assessment, 312-314

 

监控,335 - 340

monitoring, 335-340

 

代理对象,338

agent objects, 338

 

API 层,337

API layers, 337

 

配置,335

configurations, 335

 

动机,301

motivations, 301

 

网络和服务管理,318

networks and services management, 318

 

以主机为中心的垂直切换,341 - 342

host-centric vertical handover, 341-342

 

以网络为中心的垂直切换,342 - 344

network-centric vertical handover, 342-344

 

VoIP 呼叫,341

VoIP calls, 341

 

在线视频内容交付,302 - 303

online video content delivery, 302-303

 

QoS,比较,54

QoS, compared, 54

 

服务

service

 

失败,304

failures, 304

 

监控,317

monitoring, 317

 

标准化项目,304 - 305

standardization projects, 304-305

 

QoS(服务质量), 40 , 266

QoS (quality of service), 40, 266

 

建筑, 268

architecture, 268

 

控制平面,271 - 272

control plane, 271-272

 

数据平面,269 - 271

data plane, 269-271

 

管理平面,272

management plane, 272

 

背景,267 - 268

background, 267-268

 

定义, 53 , 266

defined, 53, 266

 

区分服务。参见 区分服务

DiffServ. See DiffServ

 

弹性流量,40

elastic traffic, 40

 

IPPM,293 - 296

IPPM, 293-296

 

福利, 293

benefits, 293

 

测量技术,295

measurement techniques, 295

 

指标,列表,293

metrics, listing of, 293

 

需要, 293

need, 293

 

PDV,295

pdv, 295

 

样本指标,295

sample metrics, 295

 

阶段, 294

stages, 294

 

统计指标,295

statistical metrics, 295

 

ISA

ISA

 

组件,274 - 275

components, 274-275

 

定义, 273

defined, 273

 

设计,273 - 274

design, 273-274

 

流量, 273

flows, 273

 

服务,276 - 279

services, 276-279

 

分层模型,308 - 310

layered model, 308-310

 

映射模型,323

mapping models, 323

 

基于黑盒媒体,323 - 325

black-box media-based, 323-325

 

选择, 327

choosing, 327

 

基于玻璃盒参数,325 - 326

glass-box parameter-based, 325-326

 

灰盒,326 - 327

gray-box, 326-327

 

面向IP、基于参数,327 - 329

IP-oriented parameter-based, 327-329

 

现代网络架构,72

modern networking schema, 72

 

监控,334 - 335

monitoring, 334-335

 

在线视频内容交付,303

online video content delivery, 303

 

开放流,296 - 298

OpenFlow, 296-298

 

政策,272

policies, 272

 

保单复制申请,153 - 156

PolicyCopy application, 153-156

 

建筑, 154

architecture, 154

 

控制规则,155

control rules, 155

 

功能, 154

features, 154

 

模块,155

modules, 155

 

PAA,156

PAAs, 156

 

工作流程,156

workflow, 156

 

属性, 53

properties, 53

 

QoE,比较,54

QoE, compared, 54

 

路由,272

routing, 272

 

软件定义网络

SDN

 

使用 BGP 进行管理,138 - 140

managing with BGP, 138-140

 

域之间的路由,137 - 138

routing between domains, 137-138

 

SLA

SLAs

 

建筑, 292

architecture, 292

 

可用性, 292

availability, 292

 

特征, 291

features, 291

 

延迟,292

latency, 292

 

可靠性,293

reliability, 293

 

质量网,304 - 308

QUALINET, 304-308

 

质量

quality

 

形成过程,307 - 308

formation process, 307-308

 

QoE 定义,306

QoE definition, 306

 

体验质量。请参阅 体验质量

Quality of Experience. See QoE

 

服务质量。查看 服务质量

Quality of Service. See QoS

 

QuEEN(网络体验质量估计器),305

QuEEN (Quality of Experience Estimators in Networks), 305

 

查询资源,416 - 417

querying resources, 416-417

 

队列

queues

 

定制, 278

custom, 278

 

数据流,270

data flows, 270

 

学科,277 - 279

disciplines, 277-279

 

公平排队,279

fair queuing, 279

 

先入先出,277

FIFO, 277

 

管理,270

management, 270

 

OpenFlow QoS 支持,296

OpenFlow QoS support, 296

 

优先事项,278

priorities, 278

 

R

 

射频识别。参见 射频识别

radio-frequency identification. See RFID

 

随机早期检测(红色),271

random early detection (RED), 271

 

RAN(无线接入网),224

RAN (radio access network), 224

 

快速服务提供,253

rapid service provisioning, 253

 

基于速率的显式拥塞信令,67

rate based explicit congestion signaling, 67

 

RBAC(基于角色的访问控制),463

RBAC (role-based access control), 463

 

读取范围(RFID 标签),390

read range (RFID tags), 390

 

实时, 43 , 430

real-time, 43, 430

 

通信(RTC),33

communications (RTC), 33

 

交通

traffic

 

连续数据源,44

continuous data sources, 44

 

定义, 43

defined, 43

 

延误, 43

delays, 43

 

插图, 43

illustration, 43

 

开/关源,44

on/off sources, 44

 

数据包传输,44

packet transmission, 44

 

可变长度数据包,44

variable-length packets, 44

 

记录流量,272

recording traffic, 272

 

红帽

Red Hat

 

认证工程师(RHCE),487

Certified Engineer (RHCE), 487

 

认证系统管理员(RHCSA),487

Certified Systems Administrator (RHCSA), 487

 

Enterprise Linux Atomic Host DevOps 相关产品,479

Enterprise Linux Atomic Host DevOps related products, 479

 

红色(随机早期检测),271

RED (random early detection), 271

 

参考点

reference points

 

IND,209

IND, 209

 

网络功能虚拟化,195

NFV, 195

 

参考

references

 

“光传输网络中核心节点和聚合节点的带宽需求”网站,37

“Bandwidth Needs in Core and Aggregation Nodes in the Optical Transport Network” website, 37

 

思科系统互联技术手册网站,299

Cisco Systems Internetworking Technology Handbook website, 299

 

IBM 研究“我们每天创建 2.5 Quintillion 字节数据”网站,73

IBM Study “Every Day We Create 2.5 Quintillion Bytes of Data” website, 73

 

SDN 控制器间通信:使用边界网关协议,143

Inter-SDN Controller Communication: Using Border Gateway Protocol, 143

 

物联网世界论坛网站,431

IoT World Forum website, 431

 

Kemp Technologies 博客“SDN 来自火星,NFV 来自金星”网站,229

Kemp Technologies blog “SDN is from Mars, NFV is from Venus” website, 229

 

“SDI 战争:软件定义中心基础设施是什么鬼?” 网站,263

“SDI Wars: WTF Is Software Defined Center Infrastructure?” website, 263

 

电信灯塔,229

Telecom Lighthouse, 229

 

可靠性

reliability

 

SDN 控制器,133

SDN controllers, 133

 

SLA,293

SLAs, 293

 

存储库,219

repositories, 219

 

代表性状态转移。参见 休息

REpresentational State Transfer. See REST

 

征求意见 (RFC),87

Request For Comments (RFC), 87

 

要求

requirements

 

云计算,50

cloud computing, 50

 

弹性流量,39

elastic traffic, 39

 

不断发展的

evolving

 

复杂的交通模式,78

complex traffic patterns, 78

 

需求增加,77

demand increases, 77

 

架构不足,79 - 80

inadequate architectures, 79-80

 

供应增加,77

supply increases, 77

 

交通缺乏弹性,40 - 42

inelastic traffic, 40-42

 

物联网安全,459 - 461

IoT security, 459-461

 

现代网络,80

modern networks, 80

 

网络功能虚拟化,192 - 193

NFV, 192-193

 

安全,435 - 436

security, 435-436

 

预订协议,275

reservation protocols, 275

 

保留

reserving

 

港口, 97

ports, 97

 

资源, 272

resources, 272

 

住宅。查看 房屋

residential. See homes

 

分辨率,380

resolution, 380

 

资源

resources

 

层数, 121

layers, 121

 

NFVI,220

NFVI, 220

 

查询,416 - 417

querying, 416-417

 

预订, 272

reserving, 272

 

责任

responsibilities

 

IT/网络专业人员,467 - 469

IT/network professionals, 467-469

 

NIST 云计算参考架构361、364

NIST cloud computing reference architecture, 361, 364

 

REST(代表性状态转移),128

REST (REpresentational State Transfer), 128

 

API 示例,130 - 132

API example, 130-132

 

限制,128 - 130

constraints, 128-130

 

缓存,129

cache, 129

 

客户端-服务器,128

client-server, 128

 

按需编码,130

code-on-demand, 130

 

分层系统,130

layered system, 130

 

无国籍,128

stateless, 128

 

统一接口,129

uniform interface, 129

 

定义, 128

defined, 128

 

资源请求/响应处理程序,419

resource request/response handlers, 419

 

URI,129

URIs, 129

 

恢复交通,272

restoring traffic, 272

 

零售物联网,376

retail IoT, 376

 

RFC(征求意见),87

RFC (Request For Comments), 87

 

RFC 4594(DiffServ 服务类配置指南),41

RFC 4594 (Configuration Guidelines for DiffServ Service Classes), 41

 

RFID(射频识别),387

RFID (radio-frequency identification), 387

 

访问控制,388

access control, 388

 

防伪工具,388

anti-counterfeiting tool, 388

 

应用程序,387 - 389

applications, 387-389

 

设备, 397

devices, 397

 

功能,391 - 392

functionalities, 391-392

 

工作频率,391

operating frequencies, 391

 

支付/储值系统,387

payment/stored value systems, 387

 

读者,390

readers, 390

 

标签,389 - 390

tags, 389-390

 

功能,391 - 392

functionalities, 391-392

 

工作频率,391

operating frequencies, 391

 

读者,390

readers, 390

 

类型, 390

types, 390

 

跟踪/识别,387

tracking/identification, 387

 

RHCE(红帽认证工程师),487

RHCE (Red Hat Certified Engineer), 487

 

RHCSA(红帽认证系统管理员),487

RHCSA (Red Hat Certified Systems Administrator), 487

 

角色

roles

 

基于访问控制(RBAC),463

based access control (RBAC), 463

 

IT 专业人员,467

IT professionals, 467

 

职责,467 - 469

responsibilities, 467-469

 

SDN/NFV 影响,469 - 470

SDN/NFV impacts, 469-470

 

NIST 云计算参考架构,361 - 364

NIST cloud computing reference architecture, 361-364

 

往返延迟度量,294

round-trip delay metric, 294

 

路由

routing

 

聚合, 8

aggregation, 8

 

算法,273

algorithms, 273

 

特征,55 - 56

characteristics, 55-56

 

核心, 8

core, 8

 

元素,59 - 60

elements, 59-60

 

数据包转发,56 - 57

packet forwarding, 56-57

 

凝视,11

peering, 11

 

协议,57

protocols, 57

 

ERP,59

ERPs, 59

 

IRP,58

IRPs, 58

 

服务质量,272

QoS, 272

 

排队规则,277 - 279

queuing disciplines, 277-279

 

刳刨机元件,59 - 60

router elements, 59-60

 

软件定义网络

SDN

 

控制器,119 - 120

controllers, 119-120

 

域,137 - 138

domains, 137-138

 

R工作室,489

RStudio, 489

 

RTC(实时通信)仪表板,33

RTC (real-time communications) dashboard, 33

 

柳, 115

Ryu, 115

 

S

S

 

SaaS(软件即服务),352

SaaS (Software as a Service), 352

 

定义, 352

defined, 352

 

OpenCrowd 示例 SaaS 服务调查,352 - 353

OpenCrowd example SaaS services survey, 352-353

 

订阅者,352

subscribers, 352

 

SAL(服务抽象层),123

SAL (service abstraction layer), 123

 

Salesforce 云计算认证项目,482

Salesforce cloud computing certification programs, 482

 

样本指标,295

sample metrics, 295

 

卫星电视端到端传输链,301

satellite TV end-to-end delivery chain, 301

 

可扩展性,216

scalability, 216

 

云计算,50

cloud computing, 50

 

内华达州,253

NV, 253

 

SDN 控制器,133

SDN controllers, 133

 

调度

scheduling

 

数据流,270

data flows, 270

 

数据包,275

packets, 275

 

脚本(DevOps),477

scripting (DevOps), 477

 

SCTP (流控制传输协议)100、342

SCTP (Stream Control Transmission Protocol), 100, 342

 

“SDI 战争:软件定义中心基础设施是什么鬼?” 网站,263

“SDI Wars: WTF Is Software Defined Center Infrastructure?” website, 263

 

SDI(软件定义基础设施),257

SDI (software-defined infrastructure), 257

 

应用程序, 258

applications, 258

 

建筑,261 - 262

architecture, 261-262

 

定义, 257

defined, 257

 

特征,258 - 259

features, 258-259

 

网络功能虚拟化,258

NFV, 258

 

SDN,258

SDN, 258

 

安全数据表,259 - 260

SDS, 259-260

 

SDK API(CM),419

SDK API (CM), 419

 

SDN(软件定义网络),67

SDN (software-defined networking), 67

 

API,83

API, 83

 

应用程序, 85 , 145

applications, 85, 145

 

应用程序, 147

applications, 147

 

数据中心网络,162 - 168

data center networking, 162-168

 

国际CN,168 - 173

ICN, 168-173

 

测量,157

measurement, 157

 

移动/无线,168

mobility/wireless, 168

 

监控,157

monitoring, 157

 

网络服务抽象层,146 - 152

network services abstraction layer, 146-152

 

北向接口,146

northbound interface, 146

 

安全,157 - 162

security, 157-162

 

交通工程,153 - 156

traffic engineering, 153-156

 

用户界面,147

user interface, 147

 

认证项目,481

certification programs, 481

 

特征,85

characteristics, 85

 

云计算,368 - 371

cloud computing, 368-371

 

控制器, 68

controllers, 68

 

应用程序威胁,439

application threats, 439

 

集中式,133

centralized, 133

 

分布式, 134

distributed, 134

 

联合会,135

federation, 135

 

功能,113 - 114

functions, 113-114

 

HA 集群,134

HA clusters, 134

 

IETF SDNi,140 - 141

IETF SDNi, 140-141

 

实施, 84 , 115

implementing, 84, 115

 

北向接口,117 - 119

northbound interfaces, 117-119

 

OpenDaylight 模块,126

OpenDaylight modules, 126

 

OpenDaylight SDNi,141 - 142

OpenDaylight SDNi, 141-142

 

PolicyCop 申请,155

PolicyCop application, 155

 

隐私,134

privacy, 134

 

服务质量管理,138 - 140

QoS management, 138-140

 

可靠性,133

reliability, 133

 

路由,119 - 120

routing, 119-120

 

域之间的路由,137 - 138

routing between domains, 137-138

 

可扩展性,133

scalability, 133

 

安全威胁,439

security threats, 439

 

南向接口,116 - 117

southbound interfaces, 116-117

 

控制平面, 68 , 82 , 113

control plane, 68, 82, 113

 

数据平面, 68 , 82

data plane, 68, 82

 

功能,93 - 94

functions, 93-94

 

协议,95

protocols, 95

 

安全威胁,437 - 439

security threats, 437-439

 

定义, 67

defined, 67

 

部署驱动因素,68 - 69

deployment driving factors, 68-69

 

域,133

domains, 133

 

功能性, 67

functionality, 67

 

IT/网络职位影响,469 - 470

IT/network job position impact, 469-470

 

ITU-T Y.3300 高层架构,120 - 121

ITU-T Y.3300 high-level architecture, 120-121

 

流动性驱动因素,69

mobility driving factor, 69

 

现代网络架构,72

modern networking schema, 72

 

网络功能虚拟化

NFV

 

关系,225 - 228

relationship, 225-228

 

相似之处, 70

similarities, 70

 

NOS,114

NOS, 114

 

OpenDaylight 架构,122

OpenDaylight architecture, 122

 

基本网络服务功能,124

base network service functions, 124

 

控制平面/应用平面功能,123

control plane/application plane functionality, 123

 

灵活性,123

flexibility, 123

 

氦气,124

Helium, 124

 

层数,122

layers, 122

 

模块,125 - 127

modules, 125-127

 

萨尔,123

SAL, 123

 

开放流。参见 开放流

OpenFlow. See OpenFlow

 

数据包转发,83

packet forwarding, 83

 

休息

REST

 

API 示例,130 - 132

API example, 130-132

 

限制,128 - 130

constraints, 128-130

 

定义, 128

defined, 128

 

SDI,启用,258

SDI, enabling, 258

 

安全

security

 

控制器,114

controllers, 114

 

目标, 157

goals, 157

 

OpenDaylight Defense4所有 DDoS 应用程序,157 - 162

OpenDaylight Defense4All DDoS application, 157-162

 

软件定义,440

software-defined, 440

 

威胁, 436 , 439

threats, 436, 439

 

服务器虚拟化,68

server virtualization, 68

 

标准,85 - 87

standards, 85-87

 

行业联盟,89

industry consortiums, 89

 

开放发展举措,90

open development initiatives, 90

 

SDO,87 - 89

SDOs, 87-89

 

SDNi(软件定义网络接口),127

SDNi (Software-Defined Networking interface), 127

 

聚合器,127

aggregator, 127

 

IETF,140 - 141

IETF, 140-141

 

消息, 141

messages, 141

 

开放日光,141 - 142

OpenDaylight, 141-142

 

包装纸,127

wrappers, 127

 

SDO(标准制定组织),87 - 89

SDOs (standards-developing organizations), 87-89

 

SDS(​​软件定义存储),259 - 260

SDS (software-defined storage), 259-260

 

SecaaS(云安全即服务),453 - 456

SecaaS (Cloud Security as a Service), 453-456

 

业务连续性/灾难恢复,456

business continuity/disaster recovery, 456

 

数据丢失预防,455

data loss prevention, 455

 

加密,456

encryption, 456

 

我是,455

IAM, 455

 

入侵管理,456

intrusion management, 456

 

网络安全,456

network security, 456

 

安全评估,455

security assessments, 455

 

西门子,456

SIEM, 456

 

网络安全,455

Web security, 455

 

第二代 (2G) 蜂窝网络,23

second generation (2G) cellular networks, 23

 

安全网络引导基础设施 (SNBi),125

Secure Network Bootstrapping Infrastructure (SNBi), 125

 

安全

security

 

AAA

AAA

 

认证过滤器,127

authentication filter, 127

 

开放日光,126

OpenDaylight, 126

 

大数据问题,48

big data concerns, 48

 

认证计划,487

certification programs, 487

 

思科物联网系统,425 - 426

Cisco IoT system, 425-426

 

云计算,446

cloud computing, 446

 

建筑, 448

architecture, 448

 

可审计性,449

auditability, 449

 

可用性,448 - 449

availability, 448-449

 

合规性,447

compliance, 447

 

控制装置, 457

controls, 457

 

数据保护, 448 , 452 - 453

data protection, 448, 452-453

 

治理,447

governance, 447

 

身份/访问管理,448

identity/access management, 448

 

事件响应,448

incident response, 448

 

安全即服务,453 - 456

Security as a Service, 453-456

 

共享供应商资源,449

sharing vendor resources, 449

 

软件隔离,448

software isolation, 448

 

用户保护,450

subscriber protection, 450

 

威胁,449 - 452

threats, 449-452

 

信任, 447

trust, 447

 

分布式拒绝服务

DDoS

 

Defense4All 应用程序, 157 - 159 , 162

Defense4All application, 157-159, 162

 

开放日光,127

OpenDaylight, 127

 

电子邮件,455

e-mail, 455

 

加密, 23

encryption, 23

 

信息和事件管理(SIEM),456

information and event management (SIEM), 456

 

物联网,458 - 459

IoT, 458-459

 

框架,462 - 464

framework, 462-464

 

修补漏洞,459

patching vulnerabilities, 459

 

要求,459 - 461

requirements, 459-461

 

服务, 375

services, 375

 

IP(IPsec),241 - 243

IP (IPsec), 241-243

 

网络,456

network, 456

 

网络功能虚拟化,441

NFV, 441

 

攻击面,441 - 444

attack surfaces, 441-444

 

ETSI 安全视角,444 - 446

ETSI security perspective, 444-446

 

技术, 446

techniques, 446

 

隐私

privacy

 

云, 359 , 369

cloud, 359, 369

 

SDN 控制器,134

SDN controllers, 134

 

要求,435 - 436

requirements, 435-436

 

软件定义网络

SDN

 

控制器,114

controllers, 114

 

目标, 157

goals, 157

 

OpenDaylight Defense4所有 DDoS 应用程序,157 - 162

OpenDaylight Defense4All DDoS application, 157-162

 

软件定义,440

software-defined, 440

 

威胁, 436 , 439

threats, 436, 439

 

传输层安全协议, 438

TLS, 438

 

网络,455

Web, 455

 

选择群组类型,109

select group type, 109

 

传感设备(物联网),396

sensing devices (IoT), 396

 

传感器,377

sensors, 377

 

准确度, 379

accuracy, 379

 

定义, 377

defined, 377

 

接口, 377

interfaces, 377

 

物联网,29

IoT, 29

 

精度,379

precision, 379

 

分辨率,380

resolution, 380

 

技术, 29

technology, 29

 

类型,378 - 379

types, 378-379

 

服务器

servers

 

刀片,14

blade, 14

 

集中农场,16

centralized farms, 16

 

数据管理,46

data management, 46

 

活力,419

Iotivity, 419

 

网络管理,47

network management, 47

 

虚拟化,68

virtualization, 68

 

服务

services

 

抽象层(SAL),123

abstraction layer (SAL), 123

 

可操作的 QoE,331

actionable QoE, 331

 

类别特征(流量),41

class characteristics (traffic), 41

 

cloud

 

碳酸钙即服务,355

CaaS, 355

 

云能力类型,356

cloud capability types, 356

 

康帕斯,356

CompaaS, 356

 

数字SaaS,356

DSaaS, 356

 

新兴, 357

emerging, 357

 

基础设施即服务,354 - 355

IaaS, 354-355

 

NaaS, 356

NaaS, 356

 

平台即服务,353

PaaS, 353

 

软件即服务,352 - 353

SaaS, 352-353

 

XaaS,357 - 358

XaaS, 357-358

 

云安全即服务,453 - 456

Cloud Security as a Service, 453-456

 

业务连续性/灾难恢复,456

business continuity/disaster recovery, 456

 

数据丢失预防,455

data loss prevention, 455

 

加密,456

encryption, 456

 

我是,455

IAM, 455

 

入侵管理,456

intrusion management, 456

 

网络安全,456

network security, 456

 

安全评估,455

security assessments, 455

 

西门子,456

SIEM, 456

 

网络安全,455

Web security, 455

 

差异化。参见 区分服务

differentiated. See DiffServ

 

企业, 30

enterprise, 30

 

功能链(SFC),126

function chaining (SFC), 126

 

英镑,126

GBP, 126

 

劫持,451

hijacking, 451

 

物联网基础,415 - 420

IoTivity Base, 415-420

 

ISA,276

ISA, 276

 

受控负载,277

controlled load, 277

 

保证, 276

guaranteed, 276

 

排队规则,277 - 279

queuing disciplines, 277-279

 

LISP,127

LISP, 127

 

监控

monitoring

 

类别,332

categories, 332

 

点播,333

on-demand, 333

 

探针,333

probes, 333

 

体验质量,317

QoE, 317

 

网络

network

 

网络功能虚拟化,187

NFV, 187

 

SDN应用平面抽象层,146 - 152

SDN application plane abstraction layer, 146-152

 

OpenStack,126

OpenStack, 126

 

平台即服务,488

PaaS, 488

 

提供商视角(云计算),369

provider perspective (cloud computing), 369

 

基于 QoE 的管理

QoE-based management

 

以主机为中心的垂直切换,341 - 342

host-centric vertical handover, 341-342

 

以网络为中心的垂直切换,342 - 344

network-centric vertical handover, 342-344

 

VoIP 呼叫,341

VoIP calls, 341

 

行业(物联网)

sectors (IoT)

 

建筑物,377

buildings, 377

 

消费者和家庭,376

consumer and home, 376

 

能源, 377

energy, 377

 

医疗保健/生命科学,376

healthcare/life science, 376

 

工业,376

industrial, 376

 

IT/网络,375

IT/networks, 375

 

零售服务,376

retail services, 376

 

安全/公共安全,375

security/public safety, 375

 

交通, 376

transportation, 376

 

SNBi,127

SNBi, 127

 

用例 (NFV),223 - 225

use cases (NFV), 223-225

 

CDN,224

CDNs, 224

 

固定接入网络功能,225

fixed access network functions, 225

 

家庭环境,224

home environments, 224

 

移动蜂窝网络,223

mobile cellular networks, 223

 

RAN 设备,224

RAN equipment, 224

 

SFC(服务功能链),126

SFC (service function chaining), 126

 

成型

shaping

 

区分服务,281

DiffServ, 281

 

交通, 270 , 285

traffic, 270, 285

 

分享

sharing

 

技术威胁,451

technology threats, 451

 

供应商资源,449

vendor resources, 449

 

最短路径转发,114

shortest path forwarding, 114

 

SIEM(安全信息和事件管理),456

SIEM (security information and event management), 456

 

简单网络管理协议(SNMP),126

Simple Network Management Protocol (SNMP), 126

 

单例指标,294

singleton metrics, 294

 

SIT(系统集成测试),471

SIT (system integration testing), 471

 

需求技能,488 - 489

skills in demand, 488-489

 

SLA(服务级别协议),272

SLAs (service level agreements), 272

 

建筑, 292

architecture, 292

 

可用性, 292

availability, 292

 

区分服务,281

DiffServ, 281

 

特征, 291

features, 291

 

延迟,292

latency, 292

 

可靠性,293

reliability, 293

 

从属 QoE 代理,339

slave QoE agents, 339

 

智能家居数据模型(CM),419

smart home data models (CM), 419

 

Smashwords.com,263

Smashwords.com, 263

 

SNBi(安全网络引导基础设施),125 - 127

SNBi (Secure Network Bootstrapping Infrastructure), 125-127

 

SNMP(简单网络管理协议),126

SNMP (Simple Network Management Protocol), 126

 

软传感器管理器,417

Soft Sensor Manager, 417

 

软件

software

 

作为服务。查看 软件即服务

as a Service. See SaaS

 

定义的网络。参见 软件定义网络

defined networking. See SDN

 

定义的网络接口。参见 SDNi

Defined Networking interface. See SDNi

 

隔离,448

isolation, 448

 

安全,440

security, 440

 

存储(SDS),259 - 260

storage (SDS), 259-260

 

ARP 负载字段(流表匹配字段)中的源/目标 IPv4 地址,100

source/target IPv4 addresses in ARP payload field (flow table match fields), 100

 

南向接口,116 - 117

southbound interfaces, 116-117

 

专用传感器,379

specialized sensors, 379

 

规范抽象,149

specification abstraction, 149

 

SSCP(系统安全认证从业者),487

SSCP (Systems Security Certified Practitioner), 487

 

标准

standards

 

定义, 85

defined, 85

 

发展中组织 (SDO),87 - 89

developing organizations (SDOs), 87-89

 

以太网,14

Ethernet, 14

 

IEEE 802.1Q,237 - 238

IEEE 802.1Q, 237-238

 

网络功能虚拟化, 85 - 87 , 186

NFV, 85-87, 186

 

行业联盟,89

industry consortiums, 89

 

开放发展举措,90

open development initiatives, 90

 

SDO,87 - 89

SDOs, 87-89

 

开放,85

open, 85

 

QoE 项目,304 - 305

QoE projects, 304-305

 

服务质量。参见 ISA

QoS. See ISA

 

SDN,85 - 87

SDN, 85-87

 

行业联盟,89

industry consortiums, 89

 

开放发展举措,90

open development initiatives, 90

 

SDO,87 - 89

SDOs, 87-89

 

无线网络连接,21

Wi-Fi, 21

 

无状态约束(REST),128

stateless constraint (REST), 128

 

统计数据

statistics

 

经理

manager

 

开放日光,124

OpenDaylight, 124

 

SDN 控制器,114

SDN controllers, 114

 

指标,295

metrics, 295

 

转变

switch

 

检索, 131

retrieving, 131

 

更新,132

updating, 132

 

贮存

storage

 

大数据,48

big data, 48

 

云, 350

cloud, 350

 

物联网,30

IoT, 30

 

节点,206

nodes, 206

 

储值系统 RFID 技术,387

stored value systems RFID technology, 387

 

流控制传输协议 (SCTP), 100 , 342

Stream Control Transmission Protocol (SCTP), 100, 342

 

主观评估(QoE),312 - 314

subjective assessment (QoE), 312-314

 

订阅

subscriptions

 

经理, 419

manager, 419

 

保护, 450

protecting, 450

 

SuperCloud DevOps 相关产品,479

SuperCloud DevOps related products, 479

 

开关

switches

 

电子开关,205

eswitch, 205

 

局域网,231

LAN, 231

 

第3层、第10层

Layer 3, 10

 

遗产, 238

legacy, 238

 

开放日光,124

OpenDaylight, 124

 

开放流,96 - 97

OpenFlow, 96-97

 

统计数据

statistics

 

检索, 131

retrieving, 131

 

更新,132

updating, 132

 

职责范围,17

ToR, 17

 

对称消息,110

symmetric messages, 110

 

系统集成测试(SIT),471

system integration testing (SIT), 471

 

面向系统的可操作 QoE,330

system-oriented actionable QoE, 330

 

系统工程师认证项目,486

systems engineer certification programs, 486

 

时间

T

 

桌子

tables

 

流动

flow

 

行动,101

actions, 101

 

动作组,102

action sets, 102

 

条目, 98

entries, 98

 

指令组件,102

instructions component, 102

 

匹配字段,99 - 101

match fields, 99-101

 

嵌套,106 - 107

nesting, 106-107

 

管道,102 - 105

pipeline, 102-105

 

结构, 98

structure, 98

 

团体

group

 

行动桶,108

action buckets, 108

 

条目, 107

entries, 107

 

组类型,108 - 109

group types, 108-109

 

开放流,107 - 109

OpenFlow, 107-109

 

OpenFlow 逻辑交换机,97

OpenFlow logical switch, 97

 

流量,106 - 107

flow, 106-107

 

组,107 - 109

group, 107-109

 

标签(RFID),389 - 390

tags (RFID), 389-390

 

功能,391 - 392

functionalities, 391-392

 

工作频率,391

operating frequencies, 391

 

读者,390

readers, 390

 

读取范围,390

read range, 390

 

类型, 390

types, 390

 

尾部掉落技术,271

tail drop technique, 271

 

泰勒和弗朗西斯在线网站,431

Taylor & Francis Online website, 431

 

TCA(交通调节协议),281

TCAs (traffic conditioning agreements), 281

 

传输控制协议

TCP

 

拥塞控制,267

congestion control, 267

 

flags字段(流表匹配字段),101

flags field (flow table match fields), 101

 

源/目的端口(流表匹配字段),100

source/destination ports (flow table match fields), 100

 

TCP/IP

TCP/IP

 

特征,79

characteristics, 79

 

定义, 79

defined, 79

 

技术开发,373

technology development, 373

 

电信灯塔网站,229

Telecom Lighthouse website, 229

 

温度传感器,379

temperature sensors, 379

 

模板, 181

templates, 181

 

事物(物联网),396

things (IoT), 396

 

事物经理,417

Things Manager, 417

 

事物说话,428 - 429

ThingSpeak, 428-429

 

第三代 (3G) 蜂窝网络,24

third generation (3G) cellular networks, 24

 

威胁

threats

 

云安全,449

cloud security, 449

 

滥用/恶意使用,450 - 452

abuse/nefarious use, 450-452

 

帐户/服务劫持,451

account/service hijacking, 451

 

数据丢失/泄露,451

data loss/leakage, 451

 

恶意内部人员,451

malicious insiders, 451

 

共享技术问题,451

shared technology issues, 451

 

未知的风险状况,452

unknown risk profiles, 452

 

不安全的接口/API,450

unsecure interfaces/APIs, 450

 

SDN 安全, 436 , 439

SDN security, 436, 439

 

应用平面,439

application plane, 439

 

控制平面,439

control plane, 439

 

数据平面,437 - 439

data plane, 437-439

 

三个 V(体积、速度、可变性),48

three V’s (volume, velocity, variability), 48

 

吞吐量,40

throughput, 40

 

超时条目(流表),98

timeouts entry (flow tables), 98

 

计时器对象,339

Timer object, 339

 

TLS(传输层安全),437

TLS (Transport Layer Security), 437

 

阶段, 438

phases, 438

 

安全, 438

security, 438

 

TCP/IP 体系结构,437

TCP/IP architecture, 437

 

令牌桶,285

token buckets, 285

 

拓扑管理器

topology manager

 

开放日光,124

OpenDaylight, 124

 

SDN控制器114、120

SDN controllers, 114, 120

 

ToR(架顶式)交换机,17

ToR (top-of-rack) switches, 17

 

总经过时间,40

total elapsed time, 40

 

跟踪 RFID 技术,387

tracking RFID technology, 387

 

传统建筑,79 - 80

traditional architectures, 79-80

 

交通

traffic

 

尽最大努力,267

best effort, 267

 

大数据,45

big data, 45

 

分析,46

analytics, 46

 

关注领域,48

areas of concern, 48

 

定义, 45

defined, 45

 

生态系统示例,46 - 48

ecosystem example, 46-48

 

基础设施, 46

infrastructures, 46

 

三个V,48

three V’s, 48

 

分类, 269 , 285

classification, 269, 285

 

云计算,48

cloud computing, 48

 

核心,50

core, 50

 

互联云,50

intercloud, 50

 

云内,49

intracloud, 49

 

开放源码软件,50

OSS, 50

 

要求,50

requirements, 50

 

虚拟机,49

virtual machines, 49

 

复杂图案,78

complex patterns, 78

 

调理

conditioning

 

协议,281

agreements, 281

 

区分服务,281 - 285

DiffServ, 281-285

 

拥塞。查看 拥堵情况

congestion. See congestion

 

控制,271 - 272

controlling, 271-272

 

滴管,285

droppers, 285

 

工程,153 - 156

engineering, 153-156

 

松紧带

elastic

 

应用程序, 39

applications, 39

 

福利, 40

benefits, 40

 

定义, 39

defined, 39

 

延误, 39

delays, 39

 

服务质量,40

QoS, 40

 

要求,39

requirements, 39

 

总经过时间,40

total elapsed time, 40

 

流量

flows

 

分类,269

classification, 269

 

治安,270

policing, 270

 

塑形, 270

shaping, 270

 

VTN,256

VTN, 256

 

无弹性的

inelastic

 

定义, 40

defined, 40

 

延误,40

delays, 40

 

互联网要求,42

internet requirements, 42

 

丢包,41

packet loss, 41

 

服务质量要求,42

QoS requirements, 42

 

要求,40

requirements, 40

 

服务等级特征,41

service class characteristics, 41

 

吞吐量,40

throughput, 40

 

低于尽力而为,268

lower than best effort, 268

 

标记,285

markers, 285

 

计量, 272 , 285

metering, 272, 285

 

移动, 51

mobile, 51

 

类别, 52

categories, 52

 

成长, 52

growth, 52

 

预测,52

projections, 52

 

无线用户,52

wireless users, 52

 

世界总数,计算中,51

world total, calculating, 51

 

数据包标记,270

packet marking, 270

 

治安,270

policing, 270

 

排队和调度,270

queuing and scheduling, 270

 

即时的

real-time

 

连续数据源,44

continuous data sources, 44

 

定义, 43

defined, 43

 

延误, 43

delays, 43

 

插图, 43

illustration, 43

 

开/关源,44

on/off sources, 44

 

数据包传输,44

packet transmission, 44

 

可变长度数据包,44

variable-length packets, 44

 

录音, 272

recording, 272

 

修复, 272

restoration, 272

 

整形, 270 , 285

shaping, 270, 285

 

规范(TSpec),276

specification (TSpec), 276

 

TCP 拥塞控制,267

TCP congestion control, 267

 

收发器,386

transceivers, 386

 

传输技术,11

transmission technologies, 11

 

细胞的

cellular

 

1G(第一代),23

1G (first generation), 23

 

2G(第二代),23

2G (second generation), 23

 

3G(第三代),24

3G (third generation), 24

 

4G(第四代),24

4G (fourth generation), 24

 

5G(第五代),25

5G (fifth generation), 25

 

定义, 23

defined, 23

 

以太网

Ethernet

 

承运人, 14

carrier, 14

 

数据中心,13

data centers, 13

 

数据速率,14 - 19

data rates, 14-19

 

定义, 11

defined, 11

 

企业, 13

enterprise, 13

 

家园, 12

homes, 12

 

地铁, 14

metro, 14

 

办公室, 12

offices, 12

 

标准,14

standards, 14

 

广域网,14

WANs, 14

 

Wi-Fi 组合,12

Wi-Fi combination, 12

 

无线上网

Wi-Fi

 

数据速率,21 - 22

data rates, 21-22

 

定义, 19

defined, 19

 

企业, 20

enterprise, 20

 

家园, 20

homes, 20

 

公共, 20

public, 20

 

标准,21

standards, 21

 

交通物联网服务,376

transportation IoT services, 376

 

传输层安全 (TLS),437 - 438

Transport Layer Security (TLS), 437-438

 

技巧模式,302

trick mode, 302

 

信任, 447

trust, 447

 

TSpec(流量规范),276

TSpec (traffic specification), 276

 

隧道ID字段(流表匹配字段),100

Tunnel IDs field (flow table match fields), 100

 

隧道,245

tunnels, 245

 

类型 1/类型 2 虚拟机管理程序,183

Type 1/Type 2 hypervisors, 183

 

U

U

 

UAT(用户验收测试),471

UAT (user acceptance testing), 471

 

UC(统一通信),33

UC (unified communications), 33

 

音频会议,34

audio conferencing, 34

 

福利, 36

benefits, 36

 

收敛,35

convergence, 35

 

定义, 33

defined, 33

 

元素,33 - 35

elements, 33-35

 

即时通讯,34

instant messaging, 34

 

IP 支持联络中心,35

IP enabling contact centers, 35

 

流动性, 35

mobility, 35

 

存在, 35

presence, 35

 

RTC 仪表板,33

RTC dashboard, 33

 

统一消息传递,34

unified messaging, 34

 

视频会议,34

video conferencing, 34

 

网络会议,34

web conferencing, 34

 

UDP源/目的端口(流表匹配字段),100

UDP source/destination ports (flow table match fields), 100

 

无约束设备,410

unconstrained devices, 410

 

单播寻址,231

unicast addressing, 231

 

统一功能测试,489

Unified Functional Testing, 489

 

统一消息传递,34

unified messaging, 34

 

统一接口,129

uniform interfaces, 129

 

统一资源标识符 (URI),129

uniform resource identifiers (URIs), 129

 

未知的风险状况,452

unknown risk profiles, 452

 

更新操作集指令,102

update action set instructions, 102

 

更新元数据指令,102

update metadata instructions, 102

 

更新交换机统计数据,132

updating switch statistics, 132

 

URI(统一资源标识符),129

URIs (uniform resource identifiers), 129

 

用例(NFV),221

use cases (NFV), 221

 

建筑,222 - 223

architectural, 222-223

 

面向服务,223 - 225

service-oriented, 223-225

 

CDN,224

CDNs, 224

 

固定接入网络功能,225

fixed access network functions, 225

 

家庭环境,224

home environments, 224

 

移动蜂窝网络,223

mobile cellular networks, 223

 

RAN 设备,224

RAN equipment, 224

 

用户验收测试(UAT),471

user acceptance testing (UAT), 471

 

用户

users

 

定义, 5

defined, 5

 

经验。请参阅 体验质量

experience. See QoE

 

接口,147

interface, 147

 

无线,52

wireless, 52

 

V

V

 

变异性,48

variability, 48

 

可变长度数据包,44

variable-length packets, 44

 

VCA-DCV(VMware 认证助理 — 数据中心虚拟化),483

VCA-DCV (VMware Certified Associate—Data Center Virtualization), 483

 

VCAP5-DCA(VMware 认证高级专业人员 5 — 数据中心管理),483

VCAP5-DCA (VMware Certified Advanced Professional 5—Data Center Administration), 483

 

VCAP5-DCD(VMware 认证高级专业 5 — 数据中心设计),484

VCAP5-DCD (VMware Certified Advanced Professional 5—Data Center Design), 484

 

VCDX5-DCV(VMware 认证设计专家 5 — 数据中心虚拟化),484

VCDX5-DCV (VMware Certified Design Expert 5—Data Center Virtualization), 484

 

VCP5-DCV(VMware 认证专家 5 — 数据中心虚拟化),483

VCP5-DCV (VMware Certified Professional 5—Data Center Virtualization), 483

 

VCP-NV(VMware 认证专家 — 网络虚拟化)认证,481

VCP-NV (VMware Certified Professional —Network Virtualization) certification, 481

 

VC(虚拟通道),245

VCs (virtual channels), 245

 

速度,48

velocity, 48

 

版本控制系统,477

version control systems, 477

 

视频

video

 

会议, 34

conferencing, 34

 

内容交付

content delivery

 

在线,302 - 303

online, 302-303

 

卫星电视端到端传输链,301

satellite TV end-to-end delivery chain, 301

 

按需,17

on demand, 17

 

质量专家组 (VQEG),305

Quality Experts Group (VQEG), 305

 

服务 QoE/QoS 映射模型,327 - 329

services QoE/QoS mapping models, 327-329

 

VID(VLAN 标识符),237

VIDs (VLAN identifiers), 237

 

VIM(虚拟化基础设施管理),217 - 218

VIM (virtualized infrastructure management), 217-218

 

虚拟通道 (VC),245

virtual channels (VCs), 245

 

虚拟局域网。查看 VLAN

virtual local-area networks. See VLANs

 

虚拟机监视器 (VMM), 179 - 180 , 183

virtual machine monitors (VMMs), 179-180, 183

 

虚拟机。查看 虚拟机

virtual machines. See VMs

 

虚拟网络平台即服务 (VNPaaS),223

virtual network platform as a service (VNPaaS), 223

 

虚拟专用网络。查看 VPN

virtual private networks. See VPNs

 

虚拟租户网络。参见 VTN

Virtual Tenant Network. See VTN

 

虚拟化

virtualization

 

背景, 178

background, 178

 

CDN,224

CDNs, 224

 

认证计划,481 - 483

certification programs, 481-483

 

集装箱,183

container, 183

 

定义, 177

defined, 177

 

固定接入网络功能,225

fixed access network functions, 225

 

硬件, 178

hardware, 178

 

家庭环境,224

home environments, 224

 

IND,210

IND, 210

 

基础设施管理,217 - 218

infrastructure management, 217-218

 

网络

network

 

敏捷性, 253

agility, 253

 

建筑,250 - 252

architecture, 250-252

 

福利, 252

benefits, 252

 

节省资本成本,253

capital cost savings, 253

 

定义, 247

defined, 247

 

设备整合,253

equipment consolidation, 253

 

例如,248 - 249

example, 248-249

 

灵活性,253

flexibility, 253

 

职能经理,218

function manager, 218

 

基于基础设施,212

infrastructure-based, 212

 

L2 与L3,210 - 211

L2 versus L3, 210-211

 

抽象层次,248

levels of abstraction, 248

 

逻辑资源,247

logical resources, 247

 

网络功能虚拟化,187

NFV, 187

 

NFVI 替代方案,211

NFVI alternatives, 211

 

节省运营成本,253

operational cost savings, 253

 

物质资源,247

physical resources, 247

 

快速服务提供,253

rapid service provisioning, 253

 

可扩展性,253

scalability, 253

 

虚拟覆盖,212

virtual overlay, 212

 

虚拟资源,247

virtual resources, 247

 

网络功能虚拟化。参见 网络功能虚拟化

NFV. See NFV

 

分区,212

partitioning, 212

 

资源, 247

resources, 247

 

SDI

SDI

 

应用程序, 258

applications, 258

 

建筑,261 - 262

architecture, 261-262

 

定义, 257

defined, 257

 

特征,258 - 259

features, 258-259

 

网络功能虚拟化,258

NFV, 258

 

SDN,258

SDN, 258

 

安全数据表,259 - 260

SDS, 259-260

 

服务器,68

servers, 68

 

VLAN

VLANs

 

配置,234

configuration, 234

 

定义, 234

defined, 234

 

IEEE 802.1Q 标准,237 - 238

IEEE 802.1Q standard, 237-238

 

会员资格,235 - 236

membership, 235-236

 

嵌套, 239

nesting, 239

 

OpenFlow 支持,240

OpenFlow support, 240

 

虚拟机

VMs

 

架构,180 - 183

architectures, 180-183

 

云NaaS,166

CloudNaaS, 166

 

容器虚拟化,183

container virtualization, 183

 

定义, 178 , 187

defined, 178, 187

 

文件,181

files, 181

 

模板, 181

templates, 181

 

类型 1/类型 2 虚拟机管理程序,183

Type 1/Type 2 hypervisors, 183

 

VMM,179 - 180

VMMs, 179-180

 

VNF, 187 , 213

VNFs, 187, 213

 

目录,219

catalog, 219

 

组件(VNFC),213 - 216

components (VNFCs), 213-216

 

转发图, 187 , 223

forwarding graphs, 187, 223

 

接口,213 - 214

interfaces, 213-214

 

经理(VNFM),218

manager (VNFM), 218

 

势函数,213

potential functions, 213

 

缩放,216

scaling, 216

 

套,187

sets, 187

 

VNFC 到 VNFC 通信,215 - 216

VNFC to VNFC communication, 215-216

 

VPN,241

VPNs, 241

 

定义, 241

defined, 241

 

IPsec,241 - 243

IPsec, 241-243

 

多协议标签交换 (MPLS),243 - 247

MPLS, 243-247

 

越南电视台, 127 , 253 - 257

VTN, 127, 253-257

 

建筑, 257

architecture, 257

 

控制器,127

controllers, 127

 

协调员,254

Coordinator, 254

 

元素, 254

elements, 254

 

流量,256

flows, 256

 

经理, 254

Manager, 254

 

测绘, 255

mapping, 255

 

虚拟化网络功能。请参阅 VNF

virtualized network function. See VNFs

 

VLAN(虚拟局域网),234

VLANs (virtual local-area networks), 234

 

配置,234

configuration, 234

 

定义, 234

defined, 234

 

ID/VLAN用户优先级字段(流表匹配字段),100

ID/VLAN user priority fields (flow table match fields), 100

 

标识符 (VID),237

identifiers (VIDs), 237

 

IEEE 802.1Q 标准,237 - 238

IEEE 802.1Q standard, 237-238

 

会员资格,

membership,

 

沟通, 236

communicating, 236

 

定义, 235

defining, 235

 

嵌套, 239

nesting, 239

 

OpenFlow 支持,240

OpenFlow support, 240

 

VMM(虚拟机监视器),179 - 180 , 183

VMMs (virtual machine monitors), 179-180, 183

 

VM(虚拟机),178

VMs (virtual machines), 178

 

架构,180 - 183

architectures, 180-183

 

云NaaS,166

CloudNaaS, 166

 

容器虚拟化,183

container virtualization, 183

 

定义, 49 , 178 , 187

defined, 49, 178, 187

 

文件,181

files, 181

 

模板, 181

templates, 181

 

类型 1/类型 2 虚拟机管理程序,183

Type 1/Type 2 hypervisors, 183

 

VMM,179 - 180

VMMs, 179-180

 

VMware 认证高级专业人员 5 — 数据中心管理 (VCAP5-DCA),483

VMware Certified Advanced Professional 5—Data Center Administration (VCAP5-DCA), 483

 

VMware 认证高级专家 — 数据中心设计 (VCAP5-DCD),484

VMware Certified Advanced Professional — Data Center Design (VCAP5-DCD), 484

 

VMware 认证助理 — 数据中心虚拟化 (VCA-DCV),483

VMware Certified Associate—Data Center Virtualization (VCA-DCV), 483

 

VMware 认证设计专家 5 — 数据中心虚拟化 (VCDX5-DCV),484

VMware Certified Design Expert 5—Data Center Virtualization (VCDX5-DCV), 484

 

VMware 认证专家 5 — 数据中心虚拟化 (VCP5-DCV),483

VMware Certified Professional 5—Data Center Virtualization (VCP5-DCV), 483

 

VMware 认证专家 - 网络虚拟化 (VCP-NV) 认证,481

VMware Certified Professional—Network Virtualization (VCP-NV) certification, 481

 

VNF(虚拟化网络功能), 187 , 213

VNF (virtualized network functions), 187, 213

 

目录,219

catalog, 219

 

组件,213 - 216

components, 213-216

 

转发图,223

forwarding graphs, 223

 

接口,213 - 214

interfaces, 213-214

 

经理(VNFM),218

manager (VNFM), 218

 

势函数,213

potential functions, 213

 

缩放,216

scaling, 216

 

套,187

sets, 187

 

VNFC 到 VNFC 通信,215 - 216

VNFC to VNFC communication, 215-216

 

VNF FG(VNF转发图),187,223

VNF FG (VNF forwarding graph), 187, 223

 

VNFaaS(VNF 即服务),222

VNFaaS (VNF as a Service), 222

 

VNFC(VNF 组件),213 - 216

VNFCs (VNF components), 213-216

 

VNFM(虚拟网络功能管理器),218

VNFM (virtual network function manager), 218

 

VNPaaS(虚拟网络平台即服务),223

VNPaaS (virtual network platform as a service), 223

 

VoIP 呼叫,341

VoIP calls, 341

 

VPN(虚拟专用网络),241

VPNs (virtual private networks), 241

 

定义, 241

defined, 241

 

IPsec, 241 , 243

IPsec, 241, 243

 

多协议标签交换 (MPLS),243 - 247

MPLS, 243-247

 

第2层,245 - 246

Layer 2, 245-246

 

第3层, 246

Layer 3, 246

 

VQEG(视频质量专家组),305

VQEG (Video Quality Experts Group), 305

 

VTN(虚拟租户网络), 127 , 253 - 257

VTN (Virtual Tenant Network), 127, 253-257

 

建筑, 257

architecture, 257

 

控制器,127

controllers, 127

 

协调员,254

Coordinator, 254

 

元素, 254

elements, 254

 

流量,256

flows, 256

 

经理, 254

Manager, 254

 

测绘, 255

mapping, 255

 

W

 

WAN(广域网),14

WANs (wide-area networks), 14

 

瀑布开发,471

waterfall development, 471

 

WDM(波分复用)​​,8

WDM (wavelength-division multiplexing), 8

 

网络

web

 

会议, 34

conferencing, 34

 

安全,455

security, 455

 

网站

websites

 

ACM 职业资源,489

ACM Career Resources, 489

 

“光传输网络中核心节点和聚合节点的带宽需求” 37

“Bandwidth Needs in Core and Aggregation Nodes in the Optical Transport Network,” 37

 

职业概述,490

Career Overview, 490

 

思科系统互联技术手册,299

Cisco Systems Internetworking Technology Handbook, 299

 

CoAP,411

CoAP, 411

 

计算机工作,490

Computer Jobs, 490

 

计算机科学学生资源,490

Computer Science Student Resources, 490

 

ComputerWorld IT 主题中心,490

ComputerWorld IT Topic Center, 490

 

骰子,490

DICE, 490

 

IBM 研究“我们每天创建 2.5 Quintillion 字节数据”网站,73

IBM Study “Every Day We Create 2.5 Quintillion Bytes of Data” website, 73

 

IEEE,490

IEEE, 490

 

SDN 控制器间通信:使用边界网关协议,143

Inter-SDN Controller Communication: Using Border Gateway Protocol, 143

 

ioBridge,427

ioBridge, 427

 

物联网,409

IoTivity, 409

 

物联网世界论坛, 401 , 431

IoT World Forum, 401, 431

 

IT 职业资源,489 - 490

IT career resources, 489-490

 

Kemp Technologies 博客“SDN 来自火星,NFV 来自金星” 229

Kemp Technologies blog “SDN is from Mars, NFV is from Venus,” 229

 

Linux 基金会,409

Linux Foundation, 409

 

伊斯兰会议组织,409

OIC, 409

 

OpenCrowd 示例 SaaS 服务调查,352 - 353

OpenCrowd example SaaS services survey, 352-353

 

实时.io,430

RealTime.io, 430

 

“SDI 战争:软件定义中心基础设施是什么鬼?” 263

“SDI Wars: WTF Is Software Defined Center Infrastructure?,” 263

 

Smashwords.com,263

Smashwords.com, 263

 

泰勒和弗朗西斯在线,431

Taylor & Francis Online, 431

 

电信灯塔,229

Telecom Lighthouse, 229

 

事物说话,428

ThingSpeak, 428

 

加权红色 (WRED), 271

weighted RED (WRED), 271

 

WFQ(加权公平排队),279

WFQ (weighted fair queuing), 279

 

广域网 (WAN),14

wide-area networks (WANs), 14

 

无线上网

Wi-Fi

 

数据速率,21 - 22

data rates, 21-22

 

定义, 19

defined, 19

 

企业, 20

enterprise, 20

 

以太网组合,12

Ethernet combination, 12

 

家园, 20

homes, 20

 

移动流量,52

mobile traffic, 52

 

公共, 20

public, 20

 

SDN 应用,168

SDN applications, 168

 

标准,21

standards, 21

 

Wi-Fi 联盟,21

Wi-Fi Alliance, 21

 

工作站,46

workstations, 46

 

全球移动总流量,51

world total mobile traffic, 51

 

包装纸

wrappers

 

国际CN,171

ICN, 171

 

OpenDaylight SDNi,142

OpenDaylight SDNi, 142

 

WRED(加权红色),271

WRED (weighted RED), 271

 

X – Z

X – Z

 

XaaS(X 即服务),357 - 358

XaaS (X as a Service), 357-358

 

Xamarin,489

Xamarin, 489

 

代码片段

Code Snippets

 
图像
图像